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Author's abstract 



Some methods for reasoning about concurrent programs and hardware devices have 
been based on proof systems for temporal logic. Unfortunately, all effective proof 
systems for temporal logic are incomplete for the standard semantics, in the sense 
that some formulas hold in every intended model but cannot be proved. We evaluate 
and compare the power of several proof systems for temporal logic. Specifically, we 
relate temporal systems to classical systems with explicit time parameters. 

A typical temporal system turns out to be incomplete in a strong sense; we exhibit a 
short, valid formula it fails to prove. We suggest the addition of new rules to define 
auxiliary predicates. With these rules, we obtain nonstandard soundness and com- 
pleteness results. In particular, one of the simple temporal systems we describe is as 
powerful as Peano Arithmetic. 
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Capsule review 

In many systems of temporal logic, the relationship between time instants resembles 
the ordering of the natural numbers. This correspondence is explored more fully in 
this paper. The main result is that sufficiently-but not unreasonably-strong systems 
of temporal logic are equivalent to Peano Arithmetic. This masterful paper establishes 
similar correspondences for several weaker temporal logics. 
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Errata for "The Power of Temporal Proofs" 



September 8, 1989 



The proof of Theorem 6.2 in "The Power of Temporal Proofs" is seriously 
flawed. The claim was that all valid temporal formulas are arithmetical in 
the proof system T 2 , The claim does not appear to be true. Indeed, Andreka, 
Nemeti, and Sain, who uncovered the problem, recently sent me a paper with 
a counterexample, "On the Strength of Temporal Proofs." 

The main role of the claim was as a stepping stone towards Theorem 7.2. 
This claim, in turn, says that T x is complete for arithmetical formulas while 
T 2 is complete for all formulas. With the failure of Theorem 6.2, the result 
proved in 7.2 is weaker. It holds simply that both 7\ and T 2 are complete 
for arithmetical formulas. More precisely, Theorem 7.2 should read: 

For every formula u, \-q P{u) => \~t x u if u is arithmetical in . 
For every formula w, hp P(u) => \~t 2 u if u is arithmetical in hr 2 . 

This final result may well be enough in practice — and, in particular, 
for the purposes of program verification. On the other hand, it would be 
pleasant to have a proof system complete for all formulas, rather than only 
for arithmetical ones. 

Incidentally, the paper by Andreka, Nemeti, and Sain addresses some of 
the open questions in "The Power of Temporal Proofs," and I recommend 
it to the interested readers. It was presented at the 1989 International 
Symposium on Mathematical Foundations of Computer Science. I would 
also like to thank its authors for discovering this problem. 



1. Introduction 



1 



1. Introduction 

Temporal logic has been used extensively to reason about concurrent systems. Some 
methods for verifying concurrent programs and hardware devices have been based on proof 
systems for first-order temporal logic, FTL (e.g., [Pn], [OL], [MP3]). Thus, the quality 
and especially the power of these verification methods depend directly on the power of 
the underlying FTL proof systems (e.g., [MP1]). Unfortunately, all effective FTL proof 
systems are incomplete for the standard semantics, in the sense that some formulas hold 
in every intended model but cannot be proved. Evaluating temporal proof systems and 
the corresponding verification methods is therefore a nontrivial problem. 

In this paper, we first prove that all effective FTL proof systems are incomplete for 
the standard semantics and then propose alternative notions of completeness. Specifically, 
we consider a translation of temporal formulas into classical formulas with explicit time 
parameters and ask questions such as "is the temporal formula u provable in (a given 
system for) temporal logic if and only if its translation is provable in (a given system for) 
classical logic?" We study three FTL proof systems. The first one, T 0 , is an extension of the 
usual Hilbert system of Manna and Pnueli ([MP2]) and equivalent to the resolution system 
of Abadi and Manna ([AM]). This basic system is incomplete in a strong sense. We exhibit 
a short valid formula that T 0 fails to prove. The other ones, T a and T 2 , include T 0 with new 
natural rules for defining auxiliary predicates. We give simple characterizations of T\ and 
T2. For instance, our main positive result is that T2 is as powerful as Peano Arithmetic. 
This characterization can be read as a nonstandard soundness and completeness theorem, 
since it means that the formulas provable in T 2 are exactly those that hold in every model 
of Peano Arithmetic. 

We concentrate on Hilbert systems because they are more usual and easier to under- 
stand than systems of other kinds. However, our methods are general, and, for instance, 
they immediately apply in the study of resolution systems ([Al]). 

Recently there has been much related work on nonstandard logics of programs (e.g., 
[N], [BS], [Sal], [Sa2]), which proposes notions of completeness similar to ours. However, 
the existing results for temporal logic, which we discuss in more detail below, consider 
only provability of special classes of sentences, with restricted temporal formalisms, and 
in rather weak systems. In particular, they are of limited relevance to the verification of 
concurrent systems. 

Section 2 reviews the syntax and semantics of FTL; the semantics of FTL is formulated 
in two equivalent ways: in terms of possible worlds and through a translation to classical 
logic. In section 3 we show that the standard notion of validity is intractable and suggest 
some approximations based on provability in formal systems of arithmetic. In section 4 
we describe the basic system To and prove a nonstandard completeness theorem and an 
incompleteness theorem. In section 5 we extend T 0 with rules to define auxiliary predicates 
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and obtain the systems T\ and T%. We give nonstandard completeness theorems for T\ 
and T2; these completeness theorems and the one in section 4 are not very informative 
by themselves, but we invoke them in section 6. We also discuss the connections between 
these systems and resolution systems with skolemization rules. In section 6 we introduce 
the useful notions of "clock" and "arithmetical formula." Section 7 contains the main 
soundness and completeness theorems for T\ and T2 . We compare our results with previous 
ones in section 8 and pose some open problems in section 9. Some of the more tedious and 
trivial proofs are relegated to an appendix. 

The material of this paper has appeared in a preliminary form in [A2], The full work 
is discussed in [Al], where soundness and completeness issues for resolution systems are 
discussed in more detail. 



2. Temporal logic 

Several logics of time have been proposed (e.g., [Ka], [Bu2], [VB1]). We consider one 
specific temporal logic described by Manna and Pnueli ([MP1]), which is both general and 
relatively simple. In the intended models, time is discrete, linear, and extends infinitely 
toward the future. We refer to the propositional version of our logic as propositional 
temporal logic (PTL) and to the first-order version as first-order temporal logic (FTL). In 
this section we define PTL and FTL. 



1. Syntax 

Propositional temporal logic 

A language of PTL is a countable collection of propositional symbols 
p,5,r,s, 

Given a language, PTL formulas are built up using 

• propositional symbols in the language; 

• connectives: for simplicity, we assume that the only connectives are ("not"), 
A ("and"), and V ("or"); we regard other connectives, such as true, false, D 
("implies") and = ("is equivalent to"), as abbreviations; 

• modal operators: the modal operators we consider are the usual ones for discrete 
linear time, 0 ("next"), □ ("always"), <0> ("eventually"), and the more general 
U ("until") and V ("precedes"). 
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Thus, the formation rules for formulas are: 

• all prepositional symbols in the language under consideration are formulas; 

• if u and v are formulas then so are ->tt, u A v, u V i?, O u > d <^> u, u U v, and 

First-order temporal logic 

A language of FTL consists of a countable collection of predicate and function symbols 

p,g,r,s,...,a,6, c,/,$r,/i, . . . . 

We associate a nonnegative integer with each symbol in a language, as its arity. Preposi- 
tional symbols and constant symbols axe simply predicate symbols and function symbols 
with arity 0, respectively. Given a language, FTL formulas are built up using 

• predicate and function symbols in the language; 

• the equality symbol =, which we treat as an additional predicate symbol; 

• variable symbols, such as x,y,z,xo,yo, *o,3i> J/i>2i, - . «; 

• connectives and modal operators, as in PTL; 

• the quantifiers V and 3. 

The formation rules for terms are: 

• all variable symbols axe terms; 

• if / is a function symbol of arity k and t\ , . . . , tk are terms then f{t\ ,...,£*) is a 
term. 

The formation rules for atomic formulas are: 

• if p is a predicate symbol of arity k and t\ , . . . , tk are terms then p(t\ , . . . , tk) is 
an atomic formula; 

• if t\ and t2 are terms then t\ = ti is an atomic formula. 
Other formulas are obtained as follows: 

• formulas are constructed from other formulas by application of connectives and 
modal operators, as in PTL; 

• if or is a variable and u is a formula then Var.u and 3x.u are formulas. 
Thus, all PTL formulas are also FTL formulas. 
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Flexible and rigid symbols 

In PTL, all prepositional symbols are flexible, that is, we intend to give them time- 
dependent meanings. 

In FTL, it is particularly convenient and natural to give time-independent meanings 
to some symbols, which we call rigid symbols, and time-dependent meanings to other 
symbols, which we call flexible symbols. Thus, in a given language of FTL, each symbol is 
either flexible or rigid. The equality symbol = is always rigid: two individuals are either 
always identical or always different (of course, if a and b are flexible symbols then a may 
equal b some times and may be different from b at other times; we attribute this to changes 
in the denotation of a and b rather than to changes in the denotation of =). 

A term or a formula is said to be rigid if it contains no occurrences of flexible symbols; 
otherwise, it is said to be flexible. 

For example, if busy is a flexible (time-dependent) unary predicate symbol and printer 
is a rigid (time-independent) constant symbol, then 

busy(printer) A QD -^busy(printer) 

is a flexible formula. We intend to give the same value to printer in all states, and to make 
the property of being busy time-dependent. 



2. A possible-worlds semantics 

Informally, FTL formulas are evaluated over sequences of states. If u and v are formulas 

then 

• O u means "u is true in the next state"; 

• □ u means "u is always true (from now on)"; 

• <^> u means u u is eventually true"; 

• uUv means u u is true until v is true"; in particular, u is true forever if v is never 
true (therefore, U is often called "weak until" or "unless"); 

• uVv means u u precedes v"; that is, u must hold sometime before the first time 
when v holds and must hold eventually if v never holds. 

A formal semantics is described in terms of possible worlds ([HC]). Given a language, 
a model At is a tuple (D, W, wq , R% , R2 , a, J). 

• The domain D is a non-empty set. 
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• W, the frame is a set with a distinguished element wo- Intuitively, W is the set 
of worlds and wo the present world. (We require that there be just one domain 
D common to all worlds, rather than a domain D w for each element w of W, as 
in some other modal logics.) 

• R\ and R 2 are two binary accessibility relations on W. Intuitively, R\ corresponds 
to "next" and R 2 to "eventually." 

• a is an assignment of values to the variables, that is, a mapping from the set of 
variables to D. 

• The interpretation I gives a meaning to predicate and function symbols: for each 
world w, I maps each predicate symbol p to a relation I(w,p) over D and each 
function symbol / to a function I(w,f) over D. The meaning of rigid symbols 
must be the same at all worlds. 

The evaluation function and the satisfaction relation 

If d\ , . . . , d n are elements of D then 

M o (xi <— d x , . . . ,x n *- d n ) 

denotes the model obtained from M by modifying its assignment function a to map the 
variables xi , . . . , x n to d\ , . . . , d n , respectively. If w is a world in W then 

M@w 

denotes the model obtained from M by modifying its present world to be w. 

We define inductively the binary evaluation function r, which evaluates terms in 
models, and the binary satisfaction relation between models and formulas, (=: 

• For terms: 

r(X,x) = <*(x), 

r(MJ(t u ...,t k )) - I(woJ)(T(M,t l ),...,T(M J t k )). 

• For atomic formulas: 

M |=P(*i,- ••>**) /K,p)(r(M,<i),...,r(X,t fc )), 
M h <i = t 2 & r(M,fi) = r(M,t 2 ). 

• For connectives: 

M \= -*u <$> M ^ u, 
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M\=uAv& [M\=u A M\=v], 

M\=uWv & [M{=u v M\=v}. 

• For quantifiers: 

M (= Vx.u ^ W € £>.[>< o <x <- d> f= u], 
X (= 3x.u <=> 3d € 2X[-M o (x <- d) f= u]. 



For modal operators: 

M\=Qu 3w 1 .[w 0 #iWi A MQwi f= u], 

Vu7i.[iy 0 i22^i 3 f=u], 

Mf=<>u ^ 3w 1 .[w 0 R 2 w 1 A X@^it=u], 

woR 2 wi D 



V 



W0R2W1 A 



3^2-(^0^2^2 A W2R2WI A .M@U>2 (= v) 

\M@io a |= u 
A 

Vu>2. (^0-^2^2 A 1^2 ^?2^1 D At@t^2 |= 



Thus, □ u is equivalent to uU false. Furthermore, <^> u and uV v are equivalent 
to -1 □ -<it and ->((-iu) W v), respectively. 



Standard models, satisfiability, and validity 

The model M is standard if (W, u? 0 , #1 , #2} is isomorphic to (iV, 0,s,<), that is, the 
natural numbers with the constant zero, the successor function, and the less-than relation. 
In particular, R\ is a function and R2 is the reflexive transitive closure of i?i in all standard 
models. 

We are interested in standard models because they are the intended models of temporal 
logic. On the other hand, we need to consider other models as well, in particular when we 
study soundness and completeness issues. 

The formula u is satisfiable if some standard model M satisfies u, that is, M \= u. The 
formula u is valid if all standard models satisfy u; we denote this by f= it. 



Free variables are implicitly universally quantified as far as validity is concerned: u is 
valid exactly when Vx.u is valid. 



2. Temporal logic 
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3. An arithmetical semantics 

So far we have described models and the satisfaction relation in terms of possible 
worlds. An alternative way to interpret FTL is to translate temporal formulas into classical 
formulas that contain some arithmetic symbols. This arithmetical semantics is equivalent 
to the possible- world semantics. However, it leads to some insights about the complexity of 
FTL and about alternatives to the standard notion of completeness, typical of Correspon- 
dence Theory, which studies connections between modal and classical systems ([VB2]). 

For each temporal language L, we define a countable, two-sorted, classical language 
L 0 ("0" stands for "order"). 

The sort Sat, which we interpret as the sort of natural numbers, is equipped with the 
constant symbol 0, the function symbol s, the predicate symbol <, and the equality symbol 
=. It is technically practical to consider that in actuality 0 and s are just convenient, 
informal abbreviations for the unary predicate symbol Q p and the binary predicate symbol 
«s p , respectively. Countably many variables of the number sort are denoted by letters like 
i] terms of this sort are denoted by letters like rn. 

The equality symbol = and all predicate and function symbols in L are also in Lo, to 
apply to terms of sort Sd, which we interpret as the sort of data. The arity of rigid symbols 
in Lo is the same as in L. Terms of sort Sm cannot occur as arguments of these rigid 
symbols. The arity of flexible symbols in Lo is their arity in L incremented by one. Terms 
of sort Sn occur as last arguments of these flexible symbols, and in no other argument 
position. 

For example, a typical formula of Lo is 3xVi.[s(j) < i D p(/(x, a, s(i)), i)]. Here, i 
and j are intended to range over numbers; s and < have their usual intended meanings. 
On the other hand, x ranges over some arbitrary data domain; a is uninterpreted in this 
same domain; / is uninterpreted, with this domain as range, and two pieces of data and 
one number as arguments; p is uninterpreted, with two arguments, one piece of data and 
one number. 

A two-sorted classical model for Lo consists of the following components: two sets 
jDyv and Do, the universes for the sorts Sn and So, respectively; relations on Dn to 
interpret 0 py s p , and <; relations of the appropriate types to interpret the other predicate 
and function symbols; and two functions to assign values to variables, one for Sp and one 
for Sat. 

As usual, the satisfaction relation, |=o, is defined inductively over formulas. By 
M f=o w w ^ mean that the two-sorted classical model M satisfies the Lo formula w, with 
no assumptions on the properties of M (in particular, Dn need not even be countable). 
We can give a standard semantics to Lo in the natural way, requiring that Dm be the 
natural numbers, < the usual less-than relation between numbers, etc.. The interpretation 
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of the data symbols is left open. By (=o w we mean that all standard models satisfy w. 
Thus, (=o represents standard validity. 

Any temporal formula in a language L can be translated into a classical formula in 
the corresponding language Lo\ informally, we may think of this classical formula as the 
meaning of the temporal formula. The function P maps FTL formulas to their translations 
in arithmetic. 

For all u, let P{u) = P*(u,0), where P* is an auxiliary translation function 
defined by: 



P*(p(t u ...,<*), m) = < 



'p(P*(t u m),...,P*(t kt m)) 

if p is a rigid symbol 

p(P*(<i,m), ...,P*(t*,m),m) 
if p is a flexible symbol 



P*(0«,m) = P*(u,a(m)) 

P*(D m) = Vi > m.P*(u, i) (i and j are new variables) 
P*«>«,m) = 3i>m.P*(u,i) 

P*(ui/t;,m) = Vt > m.(P*(u,0 V3j.(m < j < » A P*(u,j))) 
P*(uPv,m) = 3z > m.(P*(ii, i) A Vj.(m < j < i D ->P*(t;, j))) 
and P* preserves connectives, quantifiers, and variables. 

Furthermore, there is a natural function C to convert a possible- world model M into a 
two-sorted classical model. The data domain in C(M) is D, the domain of M; the number 
domain in C(.M) is TV, the set of possible worlds in M; 0, 3, and < correspond to u>o, 
and i?2, respectively. The assignment and the interpretation are not affected. 

The following simple propositions express that the possible-world semantics and the 
arithmetical semantics are fundamentally the same. 

Proposition 2.1. 

M \= u C(M) \=o P(u). 
Proof: 

A simple inductive argument on the structure of u yields the result. | 

The function C is a bijection. Let D be its inverse. 
Proposition 2.2. 

D(M) \= u & M \=o P(u). 



3. On standard incompleteness 
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Proof: 

Given a classical model At, proposition 2.1 guarantees that 

D(M) (= u & C(D(M)) ho P(u). 
The result follows immediately, because C(D(M)) = At. I 

Note that C maps standard possible-world models into standard classical models. 
Also, D maps standard classical models into standard possible-world models. Thus, the 
propositions yield: 

Corollary 2.3. 

h u ho P(u). 

Proof: 

Suppose that -»u holds in the standard possible-world model At. Then P(-'u) holds in 
the standard classical model C(M). Since ~P(u) = P(-»ii), -'P(u) holds in the standard 
classical model C(At). To check the other direction of the equivalence, suppose that -»P(u) 
holds in the standard classical model At, that is, P(-»u) holds in Al. Therefore, -«u holds 
in the standard possible-world model D(M). I 

Thus, in a precise sense, if we redefine the meaning of a FTL formula u to be the 
meaning of P(u), the semantics remains the same. 



3* On standard incompleteness 

We prove that standard validity is II}-complete (see, for example, [R]). In particular, 
no effective system for FTL can be complete in the standard sense. Therefore, we propose 
more realistic and practical notions of completeness. 



1. The complexity of validity 

A formula u is 11} if it = (VPi . . . VPjbVPi . . . Vi*V.v) for some classical first-order 
formula v, and 0, 6, <, +, x, i? lv ..,Pjt, Pi are all the predicate and function 

symbols in v. The complexity class II { includes all problems no harder than the truth 
problem for II j formulas. 

The following proposition and its corollary state that the validity problem is in the 
class II{. Intuitively, the question of the validity of a temporal formula can be reduced to 
the question of the truth of a Ilj formula — we replace times with numbers. 
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Proposition 3.1. 

ho isin n i- 

Proof: 

If a formula has a standard model then we can construct a standard term model. As usual, 
the domain of this model is a set of terms modulo equality in the original model. Since 
the languages under consideration are countable, this term model is also countable. 

In turn, if a formula has a countable model then we can construct a model with N 
as data domain. To do this, we number the elements of the original model and say that 
a relation holds for a tuple of numbers in the new model if it holds for the corresponding 
data in the original model. 

Thus, \= 0 u if u holds in all standard models with N as domain. Therefore, all unin- 
terpreted symbols in u can be taken to range over relations and functions on numbers. We 
conclude that \= Q u if and only if V#i . . . Vi^VFi . . . Vi<V -u holds for the natural numbers, 
where 0, 5, <, . jF\,. . are all the predicate and function symbols in u. This 
reduces the question of the validity of u to the question of the truth of a II \ formula. | 

Since the translation function P is primitive recursive, we have: 
Corollary 3.2. 

f= isin U\. 

The symbol (= refers to validity over the standard models, which have frames isomor- 
phic to the natural numbers. We exploit this to show that the upper bound of the previous 
corollary is actually tight, that is, f= is IlJ-complete: 

Theorem 3.3. 

|= is II l -hard. 
Proof: 

It suffices to show a recursive translation function that embeds 11} formulas in FTL. More 
precisely, we want a function E to map 11} formulas to temporal formulas such that u is 
true if and only if f= E(u). 

Given u of the form \/R\ . . . Vi2fcVFi . . . Vify.t;, with v a first-order formula, we may 
drop the second-order quantifiers, since the notion of validity contains an implicit universal 
quantification on free predicate and function symbols. More precisely, let E{u) = E'(v), 
where E' is an auxiliary function. To define we first "simulate" numbers in FTL. Let 
0, s, <, +, and x be rigid uninterpreted symbols of the appropriate arities and a be a 
flexible constant symbol. Let A be the sentence 



(Vx. O a = x) A (Vx. D(a = x D Q □ a ^ x)) 
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A (a = 0) 

A (VxVy.(s(x) = y = <>(<* = x AQa = y))) 

A (VxVy.(x < y = <>(a = x A <> a = y))) 

A (Vx.x + 0 = x) 

A (VxVy.x + s(y ) = 5(3 + y)) 

A (Vx.x x0 = 0) 

A (VxVj/.x x s(y) = x x y + x). 

The sentence A defines the numbers and the corresponding operations, by representing the 
number % as the value of a at time i. Furthermore, A guarantees that all elements of the 
domain represent numbers. More precisely, suppose that M is a model for a language that 
includes the symbols 0, s, <, +, x , Ri , . . . , i?*, and F\ , . . . , . Let D be the domain of 
M and let Ox, sm, <m> +m> Xm be the interpretations for 0, 6, <, +, x, respectively. 
If A holds in M then the structure {DjOm^m, <m>+m> x><) is isomorphic to the natural 
numbers with the usual arithmetic operations. Now let E f (v) = (A D r). The embedding 
E has the desired properties. | 

Remark: The proof does not use any flexible symbols other than one flexible constant 
symbol. Therefore, the theorem holds even for restricted FTL languages where all predicate 
symbols and (non-constant) function symbols are rigid. 

Also, the proof does not require quantification in modal contexts: A does not con- 
tain quantifiers in modal contexts, and v does not contain modal operators. As usual, 
all quantifiers can be extracted (using skolemization); thus, the proof indicates that the 
validity problem for FTL sentences of the form 3x.u, where u is quantifier-free, remains 
II{ -complete. On the other hand, the validity problem for quantifier-free formulas is clearly 
decidable, since it is essentially a propositional temporal problem. | 

Remark: The theorem was first proved by Parikh ([Pa2]). We have proved it again 
independently. A third proof could exploit the theory of dominoes, as Harel's intractability 
proof for first-order dynamic logic ([Ha2]). | 



2. Weaker notions of completeness 

Thus, the standard concept of validity is overly demanding from a theorem- proving 
perspective: no practical system could possibly be complete with respect to |=. Like 
arithmetic ([Go]), temporal logic has no recursively enumerable axiomatization, that is, it 
does not have any useful axiomatization at all. Weaker, recursively enumerable alternatives 
to the standard concept of validity may be more appropriate and useful in the study of 
FTL proof systems. 
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3. On standard incompleteness 



For instance, consider equipping a two-sorted classical language Lq with a proof sys- 
tem. Take Ho to mean provability in first-order logic. Of course, we include the usual 
equality axioms (reflexivity, symmetry, transitivity, substitutivity), and functionality ax- 
ioms to the effect that there is a unique 0 and that successors are unique; we also give 
natural axioms for 0, 5, and < ([MW]): 

ho Vt.(*(i) * 0), 
Ho ViY;.(a(i) = s(j) D i = j), 
Ho Vt.((» < 0) = (i = 0)), 
Ho ViVj.(i < a(j) = (i = s(j) V i < j)), 
Ho u[0] A (Vt.u[i] D u[a(i)]) D (Vi.u[i]). 
Given a proof concept H for FTL and a formula tz, we may ask whether 
H u if and only if Ho-P(w). 

The proof concept Ho takes into account a large class of nonstandard models, that is, 
provability with Ho is equivalent to validity over a class of models much larger than the 
class of standard models. The equivalence "H u if and only if HoP(w)" is the least re- 
strictive requirement we find acceptable: any FTL system incomplete with respect to Ho 
should probably be replaced with a system that translates temporal formulas into classical 
formulas and then uses Ho« 

Now suppose that the function symbols + and x are added to Lq — again, it is practical 
to regard them as abbreviations for the ternary predicate symbols + p and x p , respectively. 
The new language is Lp ("P" stands for "Peano"). The usual Peano axioms for + and x 
are added to Ho: 

Hp Vi.(i + 0 = 0, 

Hp ViVj.(t + s(j) = s(i + j)), 

Hp Vi.(i x 0 = 0), 

Hp V«Vj'.(i x s(j) = i x j + i). 

Also, the induction schema is extended to the language with + and x. We obtain Hp. 
Note that Hp is strictly more powerful than Ho ([BS]). Given a proof concept H for FTL 
and a formula u, we may ask whether 

H u if and only if HpP(u). 

Since Peano Arithmetic proves almost all valid sentences of practical interest, completeness 
with respect to Hp is an attractive requirement. 



4. A BASIC PROOF SYSTEM 
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4. A basic proof system 

We start the study of FTL proof systems with a description of a basic Hilbert system 
To. This system is an extension to our languages of the Hilbert system of Manna and Pnueli 
([MP2]), equivalent to the resolution system of Abadi and Manna ([AM]). We prove a very 
nonstandard completeness theorem and a nonstandard incompleteness theorem for Tq. 



1. The proof system 

Many Hilbert systems have been given for linear- time propositional temporal logics. 
Gabbay, Pnueli, Shelah, and Stavi proposed the following one ([GPSS]): 

• If hi/ u and h/f (u D v) then \~hv. 

• If hnu then \~h □ u. 

• If u is a tautology then h?/u. 

• l"flD(pD!)D(DpDDj). 

• i-hOH>)--Op. 

• i-HO(pDq)D(QpDQq). 

• hf Dp Dp AO Dp* 

• HhDCp => Op) d(pd dp). 

• M^?) = ?v(pao(p«?)). 

This system is complete for PTL with the operators Q> D> ^. When the two 
axioms involving U axe deleted, the system is complete for PTL with the operators O 
□ . Finally, the axioms \~h <(> p = ~> □ ~»p and V q) = U q) handle <3> and P. 

Manna and Pnueli have presented a similar Hilbert system for PTL and have extended 
it to a variant of FTL where only constant symbols may be flexible. This extension is 
based on the addition of traditional quantifier rules and a variant of the Baxcan axiom, 
(Vx.Du) D (dVx.u). 

We describe a basic Hilbert system To for FTL that also relies on traditional quantifier 
rules and variants of the Barcan axiom: 

• If hr 0 u and hr 0 (u D v) then hr 0 i>. 
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• If hr 0 u then hr 0 □ u. 

• If hr 0 (u D v) and z is not free in u then hr 0 (u D Vrr.u). 

• If u is an instance of a schema valid in PTL then hr 0 u. 

• If u is a rigid formula then hr 0 u = O u - 

• If w is an equality axiom then hr 0 u. 

• hr 0 3a\->u = -Nx.u. 

• hr 0 (Vx.it;) D w# where 0 is the substitution {x <— and does not create any new 
bound occurrences of variables or any new occurrences of flexible terms in the 
scope of modal operators. 



The first axiom schema, "if u is an instance of a schema valid in PTL then \~t 0 u" 
conveniently abstracts away all details of how PTL proofs are constructed. Of course, the 
schema could be replaced with any complete system for PTL, such as the one described 
above. In particular, we would have an induction schema, □(« D Qu) D (u D {3 u). 

The last two axiom schemas resemble the Barcan axiom. They attempt to capture 
the fact that the domain of discourse is time-independent. 



2. A very nonstandard completeness theorem 

In this section we present a nonstandard strong-completeness theorem for To . We say 
that the theorem is very nonstandard because it states the equivalence between provability 
in To and validity over a large class of models. The theorem answers an immediate, natural 
question about To and is useful in later sections. 

A set of formulas S is To-consistent if \fr 0 "■(ui A ... A u n ) for all 
A model of To is a model where all the theorems of To hold at every world. The system 
To is trivially sound with respect to models of To; the following theorem says that To 
is also complete with respect to models of To. The proof of the theorem is based on a 
new variation on well-known techniques for constructing a model from a consistent set of 
formulas. 

Theorem 4.1. Very nonstandard strong completeness 

If the set of formulas E is To-consistent then S holds in some model of To. 



hr 0 (Vx.O) = (OVz.u). 
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Proof: 

The proof of strong completeness requires only usual techniques (e.g., [Gar], pp. 273-276) 
when the logic does not include U and V. When the logic does include U and these 
techniques fail. Moreover, typical known results for PTL (e.g., [GPSS]) do not extend to 
FTL because the models constructed in their proofs satisfy formulas with U and V only after 
some steps impossible in first-order logics. Burgess ([Bui]) has proven other completeness 
theorems for logics with the operators "since" and "until." However, his results do not 
immediately apply to a logic without past operators, because in his system reasoning about 
the future may include intermediate deductions about the past, and it is not obvious that 
these can be avoided. 

We give a new construction of models of modal logics, to obtain a model M for a 
consistent set of formulas E. We emphasize the difficulties found in the prepositional case. 
Our technique has the feature of extending to the first-order logic without any new insights. 

We prove the theorem for languages with no flexible function symbols. This limited 
version is all we use later on (in section 6) and entails no loss of generality (as is checked 
in the appendix). 

Throughout the proof, we claim that certain formulas are theorems of To when they 
are instances of simple valid PTL schemas. Similarly, we use some derived inference rules, 
such as "if hr 0 u then hr 0 Qu" that follow from the rule "if hr 0 u then hr 0 by 
prepositional temporal reasoning. 

In the propositional case, given a To -consistent set of formulas E we define a model 
Ato as follows: 

W = {(Eo,tio)|So is a maximally consistent set of formulas and uq is a formula}, 
wq = (E*, false) where E* is any maximally consistent extension of E U {u| hr 0 u}, 
Ri = {((E 0 ,u 0 ),(E 1 ,ui))|/or allu,Qu e E 0 =» u G Ei}, 

i?2 = {((E 0 ,uo),(Ei,u 1 ))|ui £ Eo,«i £ Ei, and for allu,uli u\ € E 0 u € Ei}, 
p holds at (Eq, uq) if and only if p 6 Eo. 

Then we remove all worlds not reachable from wo, to obtain the model M. 

Intuitively, the definitions identify the world w = (Eo,uo) with the set of formulas Eo 
that hold at w. The second component of a world, a formula uo, is a new technical device 
whose intuitive meaning is explained below. Lindenbaum's Lemma guarantees that if S is 
To-consistent then EU {u\ hr 0 u} has a maximally consistent extension. Therefore, we may 
choose the initial world wo to satisfy E and all the theorems of To. As usual, we define 
accessibility in such a way that one world is accessible from another world if this relation 
is acceptable in view of the formulas that the worlds contain. Thus, wR\w* whenever if 
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O u is in u> then u is in w f . In usual completeness proofs, R2 is defined similarly: WR2W 1 
whenever if □ u is in w then u is in w f . The second argument of w', the formula u', makes 
possible an important refinement: only the formulas that need to hold until u' must be in 
w* In other words, we intend to read WR2W 1 as "tu' comes after to, but before tf' holds." 

All elements of E appear in the initial world. Also, all theorems of To appear in all 
worlds, since if hr 0 w then hr 0 O w and Hr 0 uUu\. 

Note that if we had a rigid proposition symbol p then p would receive the same 
value in all worlds, since hr 0 p = OP) hence (by propositional temporal reasoning) 
hr 0 [p D Op] A [-«p D O^P] and hr 0 [p D (pWui)] A [-p D ((^p)Wui)]. 

Now we prove that all elements of E hold in the initial world and all theorems of To 
hold in all worlds, via a more general lemma: 

Lemma 4.2. Truth lemma 

For every world (Eo, uo), membership in Eo and truth in (Eo, uo) are equivalent, that 
is, 

u e E 0 M@(E 0 ,uo) t= w- 

Proof: 

The proof proceeds by induction on the depth of modal operators in u. The base case, 
where u is classical, is straightforward. For the inductive step, the proof proceeds by 
induction on the structure of u. We establish the result for the base case, that is, for 
formulas where the main connective is a modal operator. The cases for U and V subsume 
those for □ and 0>> since hr 0 (□ u ) = fake) and hr 0 (O u) = (uV false). We omit 
the routine arguments for the classical connectives, which constitute the inductive step. 

• Suppose that Q v € ^o- We want to show that O v holds at Eo, that is, v € Ej for 
some (Ei,ui) such that (Eo, u 0 )i?i(Ei , u\). Note that if hr 0 -itt then hr 0 ^ O u ! 
moreover, hr 0 (O wAO^D Q(u A it') and hr 0 ~" O u = O Hence, since 
Eo is consistent, E^~ = {u| O u £ ^0} is consistent as well: suppose that 

hr 0 --(u 1 A ... A u k ) for some u 1 , . . . ,u k € EjJ" , 

then 

hro-OCw 1 A...Au*), 
and hence 



Hr 0 -((O« 1 )A...A(O« fc )), 
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with (O ul )?-">(O u *) € So- Let Si be a maximally consistent extension of E|j" 
(there is one, by Lindenbaum's Lemma) and ui an arbitrary formula. Clearly, 
v G Ei and (E 0 ,tto)i2i(Ei 5 iii). 

Suppose that vVv f E So. We want to show that v V v f holds at (Eo,uo), that 
is, for some (Ei,ui) such that (Eo,uo)^2(Ei,ui), v G Ei and, for all (E2,U2) 
between (Eo,uo) and (Ei,ui) in the R2 relation, v f £ E2. Note that if hr 0 -m 
thenhro and hence hr 0 -i(u7V); also hr 0 (u7>v')A(u'Wv') D ((uAu')Vv'). 

Hence, since So is consistent, Eq" = {v} U {u\u U v* G So} is consistent as well: 
suppose that 

hr 0 A u 1 A ... A u*) for some u 1 , . . . ,u* € Ej, 

then 

hr 0 -((vAw 1 A...A«*)Pu'), 
and hence 

Hr 0 -((^ ? A (u l U v f ) A . . . A (ti* U v 1 )), 

with (v P v'), (tz 1 £/ v'), . . . , (u* u') G So. Let Ei be a maximally consistent 
extension of Ej (there is one, by Lindenbaum's Lemma) and u\ = v'. Clearly, 
v G Ej. Also, (Eo,u 0 )i2 2 (E 1 , v'): 

1) v' £ So, since v "P v' G E 0 and hr 0 vVv'D -V. 

2) v' £ Ej, since hr 0 {pv*)U v', and hence (-^v f )U v 1 G So and -n/ G Ei. 

3) If u U v' G So then u G Ei, by the construction of Ei. 

Now suppose that for some (E2,u 2 ) we have (So, i/o)#2(S 2 , u 2 )-R2(Ei,i;'). By 
the definition of i2 2 , v' ^ E 2 , as desired. 

Suppose that v U v f G So. We want to show that v U v* holds at (Eo,tio), that 
is, for all (Ei,«i) such that (S 0 ,uo)-R2(Ei,ui), d 6 Sj or, for some (E 2 ,u 2 ) 
between (Eo,wo) and (Ei,ui) in the R2 relation, v f G E2- Consider an arbitrary 
(Ei,ui) such that (E 0 , u 0 )J?2(Ei, ui). Either 1; U u\ G E 0 or v* V u\ G E 0 
because hr 0 v U v ' D [(v U u\) V (v r V u\)). In the former case, v G Si by the 
definition of #2. In the latter case, we assume that v $ Ei and construct a 
world between (So,uo) and (Ei,ui) where v f appears. If v' G Si then we take 
(S 2 ,w 2 ) = (Si,ui). Clearly, v f G Ei. The accessibility conditions are fulfilled: 
since hr 0 uU U\ D (uVui) and u\ g Ei, if uUu\ G E 2 then u G Si. Now suppose 
that v f $ Si. Since v £ Si we get (-u) V u x G E 0 . Then v' V {^v A -V) G E 0 
follows, since hr 0 ((-.u) U\) A(vU v f ) D (v f V (^v A -V)). Note that if hr 0 -m 
then hr 0 -.(u P v'); also, hr 0 (ti P v') A («' W v') D ((ti A u') P v'). Hence, 
since E 0 is consistent, Eq~ = {v 1 } U (->v A -it;') G So} is consistent as 

well (the argument is similar to the one in the previous case). Let E2 be a 
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maximally consistent extension of E^J" (there is one, by Lindenbaum's Lemma) 
and u 2 = {pv A -V). Clearly, v* G E 2 . To show that (E 2 ,->t; A -V) is between 
(Eo,uo) and (Ei,ui), we check: 

1) A -V) £ E 0 follows from uWu'gE 0 and hr 0 v W v' D (v V u'). 

2) (^iv A -V) £ E 2 follows from v 9 G E 2 . 

3) If u W (->u A -V) € E 0 then u G E 2 , by the construction of E 2 . 

4) mi g E 2 : Since (-.v A -V) € E 1? (-it; A -V) V u\ G E 0 . Then note that 
hr 0 (-n> A -it;') V u\ D (^u x ) U {pv A -V). Thus, (-««i) U (^v A -V) G E 0 and 
hence ^! € E 2 (since (E 0 ,u 0 )i22(Ei,ui), as (1), (2), and (3) guarantee). 

5) u\ £ Ei follows from the hypothesis that (Eo, uo)#2(Ei, ui). 

6) If u U u x G E 2 then u € Si: Equivalently, we show that if u € Si then 
uV ui e S 2 : Suppose that u € Si. Then ->v A ->v' A u e S x . Therefore, 
(-^v A -V A u) V ui € S 0 . Note that 

hr 0 ((^v A ->v' f\u)V u\) D [((-v A -V Au)V u a ) W A -V)] , 
Hro [((-"« A -V f\u)V u\)U { )] D ((«?wi)W(^AV)). 

Thus, (uVui)U (->v A -V) G E 0 and G E 2 (since (E 0 , uq)R 2 (Zi, as 

(1), (2), and (3) guarantee). 

In all three cases, duality considerations ease the proof of the other direction of the 
equivalence. 

• Suppose that Q v holds at E 0 . We want to show that Q v G E 0 . If O v holds at 
E 0 then some (Ei,ui) such that (Eo,uo)i2i(Ei,t/i) contains v. Since ->v ^ Ei, 
the definition of Ri yields 0 ->v £ E 0 . Since hr 0 ^Qv = O - ^, we obtain 
Ot>G E 0 . 

• Suppose that uPu' holds at E 0 . We want to show that vVv* € E 0 . We suppose 
that v V v 1 ^ E 0 to show that vVv 1 does not hold at E 0 , and thus obtain a 
contradiction. Since v V v' £ E 0 and hr 0 ~*(v V = W t>'), we have that 

U v 1 G Eo. Since the depth of modal operators in 7^ v') and (-iv) v' is 
the same, this implies that {pv) U v' holds at Eo. Hence, vVv f does not hold at 
S 0 . 

• Suppose that v U v* holds at So- We want to show that v U v* G Eo. We suppose 
that v U v r $ Eo to show that v U v f does not hold at Eo, and thus obtain a 
contradiction. Since v U v 1 £ Eo and hr 0 U v') = ((^v) V v'), we have that 
("•u) P f ' G Eo. Since the depth of modal operators in ZY v') and (-•u) *P t/ is 
the same, this implies that Pv' holds at Eo- Hence, vU v f does not hold at 
S 0 . I 

This concludes the prepositional model construction. The first-order model construc- 
tion is based on the propositional one. As is typical for first-order completeness proofs, the 
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sets of formulas that appear in the construction of worlds are not only maximally consistent 
but also saturated. (Recall that E 0 hr 0 « if for some ui , . . . , u n € E 0 , hr 0 (ui A, . . Aw n ) D «; 
Eo is omega- complete if So hr 0 ti[<] for every term t implies Eo hr 0 Vx.ujx], where x is a 
new variable; Eo is saturated if it is both omega-complete and maximally consistent.) 

Fortunately, the extension to FTL requires only two new propositions — all other details 
axe very similar to those given in [Gar], pp. 273-276; in particular, the extension is consid- 
erably simplified by the presence of the Barcan formula. We show that if E 0 is a saturated 
set then {u| Qu 6 Eo} and {u\uU v* G Eo} are omega-complete (this is analogous to the 
key step in lemma 3 in p. 275 of [Gar]). 

Proposition 4*3. 

If Eo is a saturated set then {u \ Qu 6 Eo} is omega-complete. 

Proof: 

Suppose that 

HOv€E 0 }hr 0 tz[<] 

for every term t. If hr 0 v D u[t] then hr 0 (Qv) D (Qu[t])] also, hr 0 (O u o) A (O w i) 3 
O( u o A ui). Hence, Eo I- O u W f° r every t, and Eo hr 0 Vx.(O w [z]) since Eo is omega- 
complete. Furthermore, hr 0 Vx.(O u W) 3 Q(Vx.u[x]). Since Eo is maximally consistent, 
0(Vx.w[x]) € E 0 . Thus, (Vx.*u[x]) 6 {v\ Q v e E 0 } and, immediately, 

{v|Ov€E 0 }hr 0 (Vx.u[x]), 

as desired. | 

Proposition 4.4. 

If Eo is a saturated set then {u\uli v 1 € Eo} is omega-complete for every v 1 . 

Proof: 

Suppose that 

{v\vUv 9 e So} hr 0 u[t] 

for every term t. lfhr 0 vD u[t] then hr 0 (vUv*) D (u[t]Uv')\ also, hr 0 (u 0 Wv')A(uiWv') D 
((uo A u\)U v'). Hence, E 0 h (u[t])U v 1 for every <, and E 0 hr 0 Vx.[(u[x]) U v'] since E 0 
is omega-complete. Furthermore, hr 0 Vx.[(u[x]) U v'] D [(Vx,u[x])£/ i/], because the new 
variable x does not occur in v f . Since Eo is maximally consistent, (Vx.u[x])W v f € Eo. 
Thus, (Vx.u[x]) € v' G E 0 } and, immediately, 

{v\vUv* € E 0 } hr 0 (Vx.u[x]), 

as desired. | | 
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Remark: The proof of theorem 4.1 does not require all schemas valid in PTL. For in- 
stance, we do not exploit the connections between O Thus, the same completeness 
proof applies to some other modal logics with different axioms about time, I 



3* A nonstandard incompleteness theorem 

The completeness theorem of the previous section may appear as a first promising 
step in proving that To is reasonably powerful. Furthermore, systems equivalent to To are 
often empirically satisfactory. As we prove here, however, hr 0 is surprisingly weak — not 
even complete with respect to ho* 

Theorem 4.5. Nonstandard incompleteness 

There is a formula u 0 such that hoP(u>o) but \/r 0 «o- 
Proof: 

Fix the language to contain only the flexible constant symbol a and the flexible predicate 
symbol p. Let «o be 

[(Vx. O a = x) A p(a) A (VxVy.(p(x) A <>(> = xAQa = y))D p(y))] 
D (Vx.p(x)). 

Intuitively, uq says that if a enumerates the domain in a sequence of instants, p holds for 
the first element in the enumeration, and if it holds for an element then it holds for its 
successor in the enumeration, then it must hold for all elements in the domain. In a sense, 
uo establishes a connection between induction on time and induction in a domain. 

Significantly, \/r 0 «o- To show this, it suffices to construct a model M of Tq where uo 
fails. Let the domain and the set of worlds in the model, D and W y both equal N + Z, 
that is, a copy of {0,1,...} and a copy of {. . . , — 1', 0', 1', . . .}. The initial world w 0 is 0, 
Rx is the union of the successor functions on N and Z, R2 is < with m < n' for all m and 
n (in other words, we put N before Z). In the initial world, p(x) holds if and only if x is 
in N] in all other worlds, p(x) is always false. In world i, a has value t. 

The formula 

(Vs. <$a = x) A p(a) A (VxVy.(p(x) A <>(<* = x A O a = v)) 3 M) 

holds in M. However, (Vx.p(x)) does not hold. Therefore, u 0 is falsified in this model. We 
still need to check that M is a model of T 0 . We show that all instances of schemas valid 
in PTL hold at every world; all the other axioms and rules of To are sound for constant- 
domain possible-world models. In fact, we only consider the schemata (Q = "'(O u )> 
□ u D (wAQDu), uUv = [vVuAO(uUv)l and □(« D Qu) D (u D □ u)— since these 
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schemata, added to others which hold for all possible-world models, yield the complete 
PTL axiom system of Gabbay, Pnueli, Shelah, and Stavi ([GPSS]). 

• The schema (0" ,w ) = ~'(O u ) holds at all worlds in M since Ri is a function. 

• The schema Do(uAQD«) follows from uUv D [vVuA Q(uUv)] (proved 
below), since □ u = (tz U false) holds in all possible-world models. 

• The schema uUvD[vVu/\ Q(u U v)] holds at all worlds in M: Assume that 
uUv holds at some arbitrary world w\. Since R2 is reflexive, either v or u must 
hold at wi (by the semantics of U for possible-world models). If v holds then 
v V u A Q(u U v) holds. Otherwise, consider the world W2 such that W1R1W2. It 
suffices to show that uU v holds at u>2> that is, that u holds until v holds in the 
"future" of W2. Since R\ C R2 and R2 is transitive, any w$ such that W2-R2W3 
also satisfies wiR 2 wz. By our hypothesis, either u holds at u? 3 or v holds at 
some world u? 4 such that W1R2W4 and u; 4 i22^3. Since v does not hold at w\ and 
R2 — (-Ri o iZ 2 ) = {(u;,u;)|u; € W}, W4 must satisfy W2R2W4 and 1x74^2^3- In 
short, for any w$ such that W2 #2 u>3 , either w holds or v holds at some W4 such 
that u> 2 #2W4 and W4.R2W3, that is, uUv holds at 1^2- 

• The schema [v V u A Q( u Wu)] D uU v holds at all worlds in X: Assume that 
vWuA C)(uU v) holds at some arbitrary world wi. If v holds at w\ , u v holds as 
well, by the reflexivity of R2 and the semantics of U. Otherwise, assume u holds 
at w\ and uU v holds at its successor world, W2. Therefore, for all wz such that 
W2R2WZ either u holds or for some u> 4 such that W2R2W4 and u^i^u^, v holds. 
Since u holds at u>i and R 2 — (R\ o i2 2 ) = {(w,w)\w 6 VT}, we can derive that 
for all wz such that w\R2W$ either u holds or, for some W4 such that W2R2W4 
and W4-R2W3, v holds. Since R\ C R2 and i?2 is transitive, any such 104 must 
also satisfy w\R2W^ so for all tu 3 such that wiR 2 wz either u holds or for some 
W4 such that toii2 2 u>4 and W4R 2 wz^ v holds, that is, u U v holds at w\. 

• The induction schema, Q(u D Qu) D (u D C\v>), is satisfied at all worlds in M: 
Suppose that for a formula u we have u and □(« D Qu) ai some world We 
want to show that □ u holds at w\. Certainly, u must hold at the world W2 such 
that wiRiw 2 . For all formulas v, for all i,j such that lR 2 i and li?2.7\ that is, 
for all worlds accessible from world 1, v holds at world i if and only if v holds at 
world j. (The proof is a trivial inductive argument on the syntactic structure of 

where the base case concerns atomic formulas and the inductive step concerns 
formulas built up with the various connectives.) In particular, all worlds w$ such 
that W2-R2W3 are indistinguishable from world W2* Therefore, u must hold at all 
103 such that w 2 R2W3- Since R 2 - (Ri 0 R 2 ) = {(w,w)\w € W} and u holds at 
u holds at all w$ such that w\R%wzi that is, holds at w\. 

Intuitively, however, uo is true. In fact, it is true in the standard semantics, and 
even in the weak nonstandard semantics determined by Ho, since \~oP(uq). The basic 
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idea behind the proof of P(«o) is that p(a(i),0) implies p(a(s(i)),0) for all i, so induction 
yields p(a(i),0) for all t. Note that here p is interpreted at time 0 while its argument a 
refers to other times. In the modal system where time is implicit this double reference 
is impossible; therefore, we cannot formulate a temporal version of the simple inductive 
proof just described within a classical language. | 



5. Auxiliary definitions 

As we showed in the previous section, To is surprisingly limited. An analysis of its 
incompleteness and of how informal temporal theorem proving is carried out gives rise to 
new rules. Similar rules can be added to other proposed FTL systems. 

In the first subsection we describe two extensions of To. In the second subsection we 
give some preliminary completeness theorems that we use to obtain stronger ones in section 
7. In the third subsection, we briefly discuss the connection between rules to discharge 
definitions and skolemization rules. 



1. Two systems with auxiliary definitions 

In practice, proofs often involve auxiliary predicate and function symbols. For in- 
stance, if we define the auxiliary rigid predicate q such that q(x) holds if and only if p(x) 
holds at the initial world, we obtain a proof for the sentence uq exhibited in the previ- 
ous incompleteness theorem 4.5. We show that □ q(a) holds inductively, and then use 
(Vx. <0>a = x) to derive Vx. O?^)- Since q is rigid, this simplifies to Vx.g(x). By the 
definition of <jr, we reach the desired conclusion, Vx.p(x). 

Useful auxiliary objects are not always rigid. In some cases, flexible objects have been 
introduced in informal proofs. Thus, Hailpern and Owicki have given inductive definitions 
for "history variables" and used them in proofs ([HO]). 

We propose to allow definitions for rigid and flexible auxiliary predicates in formal 
proofs. Some restrictive kinds of definitions are actually sufficient for completeness pur- 
poses, but general forms seem more elegant and practical. Definitions for auxiliary func- 
tions could be formulated similarly. However, for simplicity, we derive them from defini- 
tions for predicates (since any provably functional predicate can be manipulated as the 
corresponding function). 

Rigid predicates are defined explicitly by formulas of the form 

Vxi ...Vxjt.p(xi,...,xjfc) = u, 
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where p is the new rigid predicate symbol being defined and p does not occur in u. 

For flexible predicates, we are content with primitive-recursive definitions of the form 

Vzi . . -Vx n .[p(xi,... ,x„) = u A C\((Op(x u .. t ,x n )) = v)], 

where p is the new flexible predicate symbol, p does not occur in if, and p does not occur 
in the scope of any modal operator in v. We also require that p does not occur in the 
scope of V or -» in v in order to keep definitions simple; this requirement is essential for 
our soundness results and seems generally easy to satisfy in practice. These definitions are 
analogous to primitive-recursive definitions in classical logic. Sometimes we refer to them 
simply as recursive definitions. 

Definitions may be iterated, in the sense that defined symbols may be used in new 
definitions. 

Given a temporal language, we add an infinite supply of new rigid and flexible predi- 
cate symbols for definitions to use. We require that definitions define only these predicate 
symbols. Note that there is a largest (typically infinite) set D e of possible explicit defini- 
tions when only explicit definitions axe considered, up to renaming of the defined predicate 
symbols. Similarly, there is a largest set D er of possible explicit and recursive definitions 
when both explicit and recursive definitions axe considered. 

We extend the Hilbert system To with sound rules to exploit definitions. We allow 
the dischaxge of explicit definitions at the end of proofs to obtain the system T\ and the 
concept hrx from T 0 and hr 0 : 

• If \~t q w then hr x w. 

• If \~T l (d D w) and d defines a rigid predicate not occurring in w then \~t x w. 

We allow the dischaxge of both explicit and primitive-recursive definitions at the end of 
proofs to obtain the system T2 and the concept hr 2 from To and hr 0 : 

• If \~t 0 w then \~t 2 w, 

• If l~T 2 (<i D w) and d defines a predicate not occurring in w then hr 7 w. 

Remark: We could allow the dischaxge of definitions at any point in proofs (rather 
than only at the end). However, this would unnecessaxily complicate our proof systems. 
In particulax, the soundness theorem of section 7 would still apply as an upper bound on 
the power of Ti and T2 after some minor modifications. | 



2. Two very nonstandard completeness theorems 

Consider two models M and M', with interpretation functions I and i 7 , respectively. 
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We say that M 1 expands M (or is an expansion of M) if M and M f are identical except that 
I 1 extends J to give meanings to some new predicate and function symbols. Expansions 
preserve the meaning of formulas that do not contain the new symbols: 
Proposition 5.1. 

If M r expands M and the formula u does not contain any of the symbols that M' 
interprets but M does not interpret, then M (= u H! (= u. 

Proof: 

We prove that for all assignments or and all worlds w 

(M-a)@w\=u (M''a)@w\=u 
by induction on the structure of u. Both the base case and the inductive step axe trivial. 

I 

We say that M' e- expands M if M' expands M and satisfies each definition in D e . 
The model At is a model of T\ if some model of T 0 e-expands M. Intuitively, models of T\ 
axe models of To that can be expanded to satisfy all explicit definitions while remaining 
models of To . 

T\ is trivially sound with respect to models of Ti. A set of formulas E is T\- consistent 
if \/t x ~^{ u i A ... A u n ) for all t*i, . . . ,u n € E. Theorem 4.1 immediately yields that Ti is 
strongly complete with respect to models of Ti : 

Proposition 5.2. Very nonstandard strong completeness 

If the set of formulas E is T\-consistent then E holds in some model of T\. 
Proof: 

If E is T\ -consistent, then \fr x -»(ui A. . . Au n ) for all ui, . . . , u n G E. The rule for definitions 
guarantees that \fr 0 ^(cfi A. . .A</ m Aui A. . .Au„) for all ui, . . . ,u„ € E anddi, . . . ,d m € D € . 
Therefore, E U D € is To -consistent, and has a model M of To by theorem 4.1. In particular, 
M satisfies E. Furthermore, since M e-expands itself, M is also a model of I\. I 

Similaxly, we say that M* er-expands M if M f expands M and satisfies each definition 
in D er . The model M is a model of T2 if some model of To er-expands At. Intuitively, 
models of T2 axe models of Tq that can be expanded to satisfy all explicit and all recursive 
definitions while remaining models of To. 

T2 is trivially sound with respect to models of T2. A set of formulas E is T2~consistent 
if \/t 7 A ... A u n ) for all ui, . . . , tz n € E. Theorem 4.1 immediately yields that T 2 is 
strongly complete with respect to models of T 2 : 

Proposition 5.3. Very nonstandard strong completeness 

If the set of formulas E is T^-consistent then E holds in some model of T 2 . 
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Proof: 

The argument is identical to the previous one. | 

Thus, models of T\ and T2 can be expanded to satisfy all the appropriate definitions 
at once. As we argue now, they can also be expanded to satisfy any chosen definitions. 
Let M be a model of T\ (or T2), and At' one such "full" expansion. Given a subset of 
D e (or D er ) with definitions for the auxiliary predicates pi,j>2>---5 we may restrict the 
interpretation function in M' to give meanings to the symbols in the original language, to 
Pi>P2> • ■ ■> and to no other auxiliary symbol. The model we obtain, At", is an expansion 
of M and a model of T\ (or T2), since M* is an e-expansion (or an er-expansion) of M". 
Therefore, models of T\ and T2 can be expanded to satisfy arbitrary explicit or recursive 
definitions while remaining models of 7\ and T 2 . 



3. On resolution systems 

In some resolution systems, skolemization has a role similar to that of the rules to 
discharge definitions because, intuitively, skolemization introduces an auxiliary function 
(instead of an auxiliary predicate). 

For instance, suppose that there is a resolution proof of (d D u), that is, refutation of 
->(d D u), where d is a definition for the new rigid predicate p(x) with the formula w[x\. We 
can construct a resolution proof of u, that is, a refutation of Intuitively, we introduce 
a skolem function instead of a defined predicate. The skolem function maps x to some 
distinguished element a if and only if w[x] holds in the present. A slight complication 
arises in that we need to consider the trivial case where the domain contains a single 
element. 

In particular, the resolution system R ([Al]) includes a skolemization rule that intro- 
duces rigid skolem function symbols. Thus, our results on T\ carry over to R. On the other 
hand, the resolution system of Abadi and Manna ([AM]) does not include a skolemization 
rule and is analogous to Tq. 



6. Clocks and arithmetical formulas 

In this section we define the class of arithmetical formulas. We have a completeness 
result for arithmetical formulas for T\ . Arithmetical formulas are also useful in the study 
of T2, although our completeness theorem for T2 is not restricted to arithmetical formulas. 
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1. Definitions and examples 

Sometimes a clock is a useful device in proofs. For instance, a program counter may 
help us prove properties of a program even though the program never refers to the program 
counter. In some logics of programs, clocks are actually not only useful but sometimes 
necessary ([Pal]). 

Informally, a clock is a formula c that distinguishes a set of tuples of elements of 
the domain at each point, without repetitions. The distinguished tuples in a world 
can be thought of as the "time" of that world. (For instance, the formula c[x] may be 
program- counter = x.) More precisely, c satisfies the clock condition 

C(c): (□3£c[£])A(DVx.(c[x] DQ □-*[*]))• 

The formula c is a clock for u if we can use C(c) to show u, that is, if we can prove 
C(c) D u then we can prove u (or, as we often say, u u reduces to C(c) D u"). More 
precisely, consider a proof concept I- (for instance, one of hr 0 , br 1? Hr 2 )- The formula c is 
a clock for u in H if 

H C(c) D u implies hu. 

Thus, the provability of u with a clock suffices to guarantee the provability of u. Note that 
we do not require that c be in the original temporal language under consideration: c may 
include auxiliary predicate symbols introduced in definitions. The formula u is arithmetical 
in h if there exists a clock for u in h (the name was chosen because arithmetical formulas 
have a most natural interpretation in arithmetical universes ([Hal])). 

Examples: 

• The formula 3x3y.(x ^ y) is trivially not arithmetical, in any sound system: 
it can be proved using a clock (if a clock exists, then the domain contains two 
distinct values) but not without a clock. We do not know of more subtle examples 
of formulas which are not arithmetical. 

• Consider hr 0 . Suppose we are interested in 

u : [A A □ Vz.(a - z D Q a > z)\ D Vy. O a > y, 

where A is some basic collection of axioms about arithmetic, a is a flexible con- 
stant symbol, and all other symbols are rigid. The formulas in the antecedent, A 
and □ Wz.(a = z D Q a > z), imply that a must take a different value at each 
instant. Therefore, we can prove 

[A A □ V*.(a = OO a > 2 )] 3 C(a = x), 

and derive [C(a = x) D u] D u by propositional reasoning. Therefore, a = x is a 
clock for u. 
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• Consider hr 2 . Suppose we are interested in 

u : \\/x.(s(x) ^ 0) A VxVy.(5(x) = s(y) D x = y)] D v 

for some formula v. For instance, we may imagine that v expresses some temporal 
property of programs on numbers, and that is why some basic facts about 0 and 
s appear in u. In T2, we can give a definition d c for a flexible predicate c that is 
a clock for u: 

Var. [(c(x) = (x = 0)) A □(((} c(x)) = 3y.( C (j/) A x = s(y)))] . 
Intuitively, c is the clock that gives the times 0, 1, 2, Note that 

[Vx.(s(x) £ 0) A VxVy.(s(x) = s(y) D x = y) A d c ] D C(c) (*) 
is provable in T2 . 

To check that c is a clock for u, we simply need to reduce u to C(c) D u. Suppose 
that C(c) D u has a proof in T2. Let D be the conjunction of the definitions 
involved in this proof and in the proof of (*). Then (D A C(c)) D u is provable 
in To. By propositional reasoning, 

\ix.(s(x) ^ 0) A Vxiy,(s(x) = s(y) D x = y) A d c A D] Du 

and hence (d c A D) D u are also provable in To. We discharge the definitions, to 
conclude that u is provable in T2 . | 

As the examples suggest, many of the formulas that arise in reasoning about com- 
putations are arithmetical. For the systems T 0 and T\ it suffices that the formulas in 
question mention some (provably) non-repeating term — which may represent a program 
counter or just some program variable. Furthermore, all instances of valid PTL schemas 
axe trivially arithmetical, since they are provable. It is therefore reasonable to suggest that 
many important FTL formulas axe arithmetical in hr 0 and hr l . 

For the system of most interest to us, T2, axithmetical formulas are even easier to 
find. Typically, infinite-state systems operate on domains such as the integers, the lists, or 
the strings. By proposition 6.1 (below), formulas that involve some basic theory of such a 
domain are arithmetical in hr 2 . This basic theory needs to refer only to elementaxy facts 
about a "successor" operation, e.g., successor for integers, concatenation for lists and for 
strings; intuitively, this "successor" operation suffices to construct a clock, that ticks by 
applying the operation to its current value. 

Given a formula s p [x, y], where x and y have the same length, let Inj(s p ) denote 
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VxVyV£((5 p [x,y] As p [x,z\) D y = z) 
A 

VxVyV£((5 p [x,5] A & p [y,z\) D x = y) 
A 

VxVy. U(s p [x , y] = O * P [x, y]) 
and Range(s p ) C Domain(s p ) denote 

3x.(3y.3p[x, y] A Wz.-^s p [z,x\) 
A 

Vx.(3y.3p[y,x] D 3z.3 p [x,i]). 

The formula Inj(s p ) asserts that s p denotes a rigid injective partial function; the formula 
Range(s p ) C Domain(s p ) that there is at least one "0-like" element to start a sequence of 
function applications. 

Proposition 6.1. 

if \-r 2 [(lnj(s p ) A(Range(s p ) C Domain(s p ))) D u] D u for some formula, s p [x,y\ then 
u is arithmetical in hr 2 • 

Proof: 

The flexible predicate c is defined by 

Vf . [(c(x ) = 3y.s p [x, y] A V£-s p [z, x\) A □((© <x)) = 3y.(c(y) A s p [y, . 

The clock condition C(c) can be proved from Inj(s p ) A (Range(s p ) C Domain(s p )) and the 
definition of c. As in the previous example, the reduction of u to C(c) D u follows by 
propositional reasoning and definition dischaxges. | 



2. A basic theorem 

Intuitively, we would like to know that many formulas are arithmetical, because this 
makes easier completeness arguments: since we may use clocks to prove arithmetical formu- 
las, these formulas may be easier to prove than arbitrary ones. As pointed out above, both 
propositional formulas and formulas that refer to a "successor" operation are arithmetical. 
In practice, most formulas fall into one of these two groups; this informal observation has a 
formal counterpart, which is the central idea in the following proof that all valid formulas 
are arithmetical in T2. 

Theorem 6.2. 

If |= u then u is arithmetical in hr 2 . 
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Proof: 

We prove the theorem for formulas with no function symbols. A proposition in the ap- 
pendix shows that this restriction does not entail any loss of generality. 

We suppose that f= u but u is not arithmetical in hr 2 and derive a contradiction. Since 
u is not arithmetical in hr 2 , for all formulas c we have that hr 2 C(c) D u but \fr 2 u. The 
completeness of T<i for models of T 2 yields that -<u holds in some model M of T*i. Now we 
argue that M must be rather simple. Later on we derive that -»tt holds in some standard 
model Ms-, thus contradicting the assumption (= u. 

Given a n-ary predicate symbol p we expand M with a relation for the rigid 2n-ary 
symbol <, defined by 

x<y = [(-p(x)Ap(y)) V (p(x) A ~>p{y))]. 

Intuitively, x is less than y if, the first time that p distinguishes one from the other, p is 
false for x and true for y . In other words, x is less than y if the sequence of values of p at 
x is lexicographically less than the sequence of values of p at y. 

We also expand M with relations for the associated equivalence relation ~ and the 
associated order <: 

x ~ y = < y V y < £), 

x < y = (x ~ y V x < y). 

Suppose that the relation < gives rise to an infinite chain of tuples of elements in the 
domain. Without loss of generality, we may assume that the chain is infinite "forward" 
(otherwise, we consider > instead). Now we define a successor function after the (arbitrary) 
starting point z: 

s(x, y) = [z < x A x < y A Vxi.(xi < x V y < Xi )]. 

A clock can be constructed: 

(c(x) = (x^z))AB((Oc(x)) = 3y.(c(y)As(y,x))). 

The expansion of H we obtain satisfies C(c), still satisfies -m, and still is a model of 
On the other hand, C(c) D u holds in all models of T2, since hr 2 C(c) D u. Thus, we 
derive a contradiction. Hence, < cannot give rise to infinite chains. 

This implies that for each predicate symbol p in u there are only finitely many in- 
equivalence classes. In other words, for each p there are only finitely many possible patterns 
for p(x) as x varies. This allows us to "split" p into a rigid component and a flexible 
propositional component. 

The model M can be expanded with time-independent relations for the rigid symbols 
ri,...,rjt; we define r;(x) to hold if x is in the equivalence class i. Also, we can introduce 
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relations for the flexible proposition symbols ?i, . . . to represent the possible patterns 
of More precisely, g» is true in a certain world if p holds for the aTs in the equivalence 
class i in that world. After all these expansions to X, we have a model M r of 

In M\ 

□ Vx.[p(£) = Vi< fc (n(f)A ft )]. (*) 

For each predicate symbol p there is a different number k and a different set of defined 
symbols n , . . . , r * , qi , . . . , for which a similar equivalence holds. 

The original formula can be rewritten using the equivalences (*): each atomic for- 
mula is replaced with the corresponding disjunction. The formula obtained, is equivalent 
to -<u in all models where the equivalences hold. 

An inductive argument on the structure of v shows that v is equivalent to a Boolean 
combination of propositional temporal formulas and formulas where all symbols are rigid. 
Typical transformations are to rewrite \Zu 2 ) to u\ V □ u 2 , if u\ is rigid, and to rewrite 
Vx.(ui V U2) to (Vx.iii) V U2, if U2 is propositional. Therefore, v is equivalent to a formula 
of the form 

(«} Au£)V ... V«A4 

with u\ rigid and u x 2 propositional for all i. 

Since v holds in At', for some i the formulas u\ and u\ must hold in M*. By the 
standard completeness theorem for PTL ([GPSS]) u\ must also have a standard model. We 
may take this model with the same domain and the same interpretation of rigid symbols 
as H! — since these choices do not affect the truth-value of the formulas u\ and the model 
remains standard. Finally, the model can be expanded with relations for the flexible 
predicate symbols defined with the equivalences (*). The model we obtain is M a . Since u\ 
and u\ hold in M 3 , v holds as well. Since the equivalences hold, M 3 satisfies -m. Thus, we 
have constructed a standard model for -*u and contradicted the hypothesis that |= u. | 

Remark: The proof of theorem 6.2 requires that the logic include the operator V, even 
if the formula u under consideration includes only Q> O- Fortunately, we can 

refine the proof to guarantee that the theorem holds even for a logic without U and V. 
The only step we reformulate is the definition of the rigid predicate symbol <. 

First we define the flexible predicate symbol y) so that p\{x, y) holds if and only 
if p(x) A ™«p(y) has already held, that is, 

Px {x,y) = {p(x)/\-,p{y)) A □[(Oi = (pifrv) V 0(p(x) A )))]. 

Similarly, we define P2(x, y) so that pi(af, y) holds if and only if ~>p(x) A p(y) has already 
held. Then < is defined by 

x < y = <$\p 2 (x,y) A^pi(x,y)}. | 
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7. Soundness and completeness 

The main results of this section are the soundness and completeness of hr t and \~t 2 
with respect to l~o and Hp, respectively. The completeness theorem for br l refers only to 
arithmetical formulas. The more important completeness theorem for hr 2 applies to all 
formulas. 

The soundness theorem states that modal temporal reasoning can be transformed into 
classical reasoning with explicit time parameters; in fact, the transformation is based on a 
step by step simulation. 

Theorem 7.1. Soundness 

For every formula u, hr t u \~oP(u) and hr 2 u hpP(u). 
Proof: 

The argument is similar for both systems. A modal proof of u consists of a proof within 
To and some definition discharges within T\ or T2. We show how to simulate the first part 
(classically) and how to eliminate the second part. 

First, we show how to construct a classical proof of P(D v) from a modal proof of v 
in To, for an arbitrary v. The construction proceeds by induction on the structure of the 
proof of v. We consider □ v rather than v in order to handle the case where the last rule 
in the proof is the one that introduces □. The extra Q is easy to delete at the end of this 
construction, that is, if P(D v) is provable then so is P(v). 

• For all axioms v of To, P(D v) is provable: 

■ Let v be an instance of a schema valid in PTL. A completeness result 
for PTL ([GPSS]) enables us to consider only the cases where v is one of 
a few simple axioms for PTL. All of the proofs are routine. 

■ Let v be an instance of u = Qu for some rigid formula u. Then 
P(Dv) = Vi > 0.[P*(u,z) = P*(u,a(*))]. Since u is rigid, the sys- 
tems of arithmetic prove P*(u,m) = P*(u,m') for any m and m f (this 
can easily be checked with an induction on the structure of u). It im- 
mediately follows that they prove P(D v) as well. 

■ Let v be an equality axiom. Then P(D v) — Vi > O.P*(u, i) and P*(v, i) 
is one of 

(x = x), 

(x ~ y D y = x), 

(x = y A y = z D x — z), 

(x = yDP*(t,i)6 = P*(t,i)), 

(x = yDP*(w,i)8 = P*(w,i)), 
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for some term t and some formula u>, where 0 = {x <— y} and y does 
not occur bound in w. In all cases, P*(v, i) is a classical equality axiom; 
therefore, the systems of arithmetic prove P*(v, t), and hence P(Q v). 

Let u be Bx.-^w = ->Vx.u>. Then 

P(D v) = Vt > 0.(3x.-P*(u;,i) = -Vx.P*(u>,t))- 

Since the systems of arithmetic properly include the predicate calculus, 
they certainly prove 3x.->P*(w,i) = ^Vx.P*(ti?,i) for any P*(w,i), ^ 
hence P(d v). 

Let v be (Vx.w) D u;0 for some formula w and some substitution 9 = 
{x 4— <} that does not create any new bound occurrences of variables or 
any occurrences of flexible terms in the scope of modal operators in w. 
Either x does not occur in the scope of modal operators in w or t does 
not contain any flexible symbols. In either case, 

P*(w8,i) = P*(w,i){x <- P*(t,t)}. 
Then 

P(Dt;) = Vt > 0.[(Vx.P*(u,,i)) D (P*(u>,i){* <-P'(t, »)})]. 

The quantifiers in P*(w,t) axe those in w and some additional quanti- 
fiers over numbers. The former could not bind any of the data variables 
in P*(i, i), since these variables occur in t and the rule application does 
not create any new bound occurrences of variables in the original modal 
proof. The latter could not bind any number variables in P*(i,i), since 
the substitution does not create any new occurrences of flexible terms 
in modal contexts. Therefore, {x <— P*(<,i)} does not create any new 
bound occurrences of variables in P*(iu,z). Since the systems of arith- 
metic properly include the predicate calculus, they certainly prove 

(V*.P>,i)) D {P*(w,i){x «- P*(t,i)}), 

that is, (Vx.P*(u>,i)) D P*(w9,i) , and hence P(D»). 

Let v be (Vx. O «) = (O Vs.ti). Note that 

P*((Vx. O«),0 = V*Vj.(*,(t\ j) D P*(«, j)), 
P*((<0 Vx.u),») = Vj.(3,(i,j) D Vx.P*(u,j)), 

and that these two formulas are provably equivalent. The provability of 
P(D v) follows. 



7. Soundness and completeness 



33 



■ Let v be [Vx.(u U u')] = [(Vr.u) U «'], with £ is not free in u'. As in 
the previous case, P*(Vx.(uWii'),i) and P*((Vx.u) W u',i) are provably 
equivalent. The provability of P(D v) follows. 

• All rules in To can be simulated (e.g., if we can infer w from v then we can infer 
P(Dti;)from P([»): 

■ Assume that P(C]u>o) and P(D(u>o D u>i)) are provable to show that 
P(D is provable as well. We have 

P(D^o)=Vi>0.P*(tx;o,0, 

P(dH) D w 1 ))=\/i > 0.(P*(u;o,0 D P*(w ly i)). 
By classical reasoning it follows that 

Vi > 0.[P*(u> 0 ,0 A (P> 0 ,0 D P*(w u i))], 
and then Vi > O.P*(u;i,i), that is, P(Qu; 1 ). 

■ Assume that P(D w) is provable to show that P(D □ it?) is provable as 
well. The formula P(D w) D P(D □ w), that is, 

Vi > O.P*K*) D (Vi > 0)(Vj > i).P*(wJ), 

is provable, since K> (« > 0 A j > i) D j > 0. Hence, we can prove 

■ Assume that P(D(ioo D w i)) is provable and x is not free in wq to show 
that P(IZ3(ii;o D Vx.tui)) is provable as well. We have 

P(U(w 0 D w x )) = Vi > 0.(P*(u> o ,i) D P*K,0). 

Since ho Vi.(i > 0), it follows that P*(u? 0 ,i) D P*(u>i,i) is provable. 
The variable x is not free in P*(wo, 0> since it is not free in wo- By the 
classical rule of introduction for V, we derive P*(u;o,i) D Vx.P*(u?i,i), 
that is, P*(tu 0 ,i) D P*(Vr.u>i,i). Therefore, we can prove 

Vi > 0.[P*(u> o ,i) D P*(Var.ti>i,t)], 

that is, P(\3(iv 0 D Vx.u?i)). 

We have transformed the part within To of a proof of u into an analogous classical 
proof. In the modal proof of u we discharge definitions to obtain the final result u from 
some theorem of T 0 . We show that definitions are superfluous in the classical proof of 
P(«), that is, if d is a definition and P(d D v) is provable then so is P(v). 
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• If d is an explicit definition and ho P(d D v) then ho P(v): 
Assume that ho P(d D v). We have 

P(dDv)=[P(d)DP(v)], 

and P(d) is of the form 

Vzi . . . Vx*.p(xi , . . . , x„) = «;[xi , . . . , x n ]. 

We may replace every occurrence of p(t\ ,...,<„) with the corresponding instance 
w[ti y . . . ,i n ] in the proof of ho P(d) D P(u) — possibly after some renaming of 
bound variables to avoid unwanted captures. Every step of the proof is still legal 
since ho does not distinguish p(ti , . . . , t n ) from w[tx ,...,*„]. We obtain a proof 
of 

ho (Vxi . . . Vx„.tt; = w)D P{v), 
and, therefore, a proof of ho -P(v)- 

• If d is a recursive definition and hp P{d D v) then hp P(v): 
Assume that hp P(d D v). We have 

P(dDv)=[P(d)DP(v)], 

and P(d) is the primitive-recursive definition for a predicate symbol p. By classi- 
cal coding techniques from Peano Arithmetic ([Kl], sections 48 and 49), p is also 
definable explicitly, say by d! \ The definition d! is of the form 

Vxi ...VxjtVi.p(xi,... ,x n ,i) = w[xi>.. . ,x„,i]. 

Furthermore, hp d 1 D P(d), and hence also hp d' D P(v). As above, we 
may replace every occurrence of p(ti, . . . , t n ,m) with the corresponding instance 
w[ti, . . . jtn^rn] in the proof of hp d 1 D P(v). Again, every step of the proof is 
still legal. We obtain a proof of 

hp (Vxi . . . Vx n Vi.u> = w) D P(v), 

and, therefore, a proof of hp P(v). I 

The completeness theorem, converse to the soundness theorem, states that classical 
reasoning with explicit time parameters can be transformed into modal temporal reasoning. 
The transformation is more than a trivial simulation, though; in particular, we exploit the 
existence of clocks. 

Theorem 7.2. Completeness 

For every formula u, hoP(u) hi\ u if u is arithmetical in hri • 
For every formula u, hpP(u) =>> hr 2 u * 
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Proof: 

Since the translation function P preserves standard validity and hp is sound, hpP(u) 
implies that (= u, and hence that u is arithmetical in hr 2 - Therefore, it suffices to prove 
that for every arithmetical formula u (with clock c) hoP{u) hr t u and \-pP(u) hr 2 u. 
The main steps of the proof are: 

1) we use the clock to define some predicates and functions on the domain (0, 5, 
<, and ~ for Ti, and also + and x for T 2 ); 

2) these predicates and functions satisfy the usual properties of 0, s, <, =, +, x, 
and this can be shown within T\ and T2 ; 

3) the clock also helps translate u into a FTL formula Q(u) syntactically similar 
to P(ti); 

4) furthermore, Q{u) can be shown equivalent to u within Ti, so it suffices to 
construct a proof of Q{u)\ 

5) the proof of Q(u) is identical in structure to that of P(u), except that the 
usual axioms about 0, s, etc., are treated as theorems. 

We present the completeness proof step by step. We may assume that there are no 
function symbols — though we use some as abbreviations. A proposition in the appendix 
checks that this entails no loss of generality. Also, at some points we claim that certain 
formulas are provable within T\ and leave the corresponding arguments for the appendix. 

Step 1: 

• First we define the rigid numberhood predicate n by Vx.[n(:r) = <^> c[x\]. 

• We define the rigid zero predicate 0 P by Vaf.[0 p (x) = c[x\]. 

• We define the rigid successor predicate s p by 

VxVy.[6 p (x,y) = <>(c[f] A Q c[y])]. 

• Similarly, we define x < y as 0>( c [^] A 0 c[y]). 

• Also, we define x ~ y as 0( c [s] A c[y\). The relation ~ is intended as an approx- 
imation to — . 

• In T2, primitive-recursive definitions can be exploited to define the rigid predicate 
+ p . First we define the flexible predicate p\ by 

VxVy.[pi(^y) = (x ~ y) A □ ((Opi(*,v)) = 3z.(pi(x,z)As p (z,y))))}- 
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Intuitively, pi(x,y) holds at time k if x + k = y. Therefore, we define + p by 
V&m[+,%v,Z) = 0(c[y\/\ P i(x,z)% 
• Similarly, x p can be defined in T2. First we define the flexible predicate p 2 by 
V5Vy.|p2(f,y) = 0 p (y) A □((Op 2 (^y)) = 3£(j> 2 (z,r) A +,(*,£, y)))]. 
Intuitively, p 2 (x,y) holds at time k if x x k — y. Therefore, we define x p by 
VxVyV£.[x p (x,y,i) = <>(c[fl A p 2 (x, 

Step 2: 

The defined symbols can be shown to satisfy most of their usual axioms within T\ . 
One important qualification is that the full substitutivity-of-equals property does not hold 
for ~. However, the substitutivity properties we obtain are sufficient for our purposes. 
Similarly, enough (but not all) instances of the induction schema can be proved; rigid 
predicate definitions are essential in these proofs. 

More precisely, let A represent the definitions for auxiliary predicates (A includes the 
definitions for n, 0 P , s pj <, and ~; when addition and multiplication axe involved, A also 
includes the definitions for p 1? + p , p 2 , and x p ). Then 

hr, (C(c) A A) D 3x.n(x). 

This guarantees that the predicate n can be treated as a sort. Any proof of u using n as a 
sort can be transformed into a proof where n is a predicate (this is justified in a proposition 
presented in the appendix). From now on, we denote variables of this sort by letters like 
z, and terms of this sort by letters like m. 

We write 3ji.u[i] as an abbreviation for 

3i.u[i] A \/Nj.[u[i] A u[j] D i ~ j]. 

The predicates 0 P , s p , + p , and x p can be thought of as functions on the sort defined by n: 

hz\ (C(c) A A) D 3jt.0,(i), 

hr x (C(c)AA)DVfl^ p (i,i), 

hr x (C(c) A A) D ViVj3jAr. + p (ij,k), 

hr, (C(c) A A) D VzVj3jfc. x p (ij,k). 

Therefore, it is convenient to use the functional abbreviations 0, s, +, x for 0 p , s p , + p , 
x p , just as in Lq and Lp. 
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Also, ~ is an equivalence relation and enjoys some useful substitutivity properties; ~ 
acts like = on the sort defined by n: 

hzi (C(c) A A) D Vi.(i ~ i), 

hr t (C(c) AA)D ~ j D j ~ i), 

hr t (C(c) A A) D ViVjVfc.((i ~ A ~ k) D i ~ A;), 

(C(c) A A) 3 VWj.O' ~ D <>( C W A a) = 0(4/] A a)) if a is atomic, 

hr, (C(c) A A) D VtVj.(i ~JD a[»] = a[j}), 

if a is an atomic formula with predicate symbol n, 0 P , s p , <, ~, + p , or x p . 

We say that a formula is c-formed if it is built up from atomic formulas with relation 
symbol n, 0 P , s p , <, ~, + p , and x p , and from formulas of the form <C>( c [ m ] A a), where a 
is atomic. The substitutivity property we need follows from the last two facts by induction: 

Htj (C(c) A A) D ~ j D it[i] = if u is c-formed. 

Other theorems guarantee that the defined symbols satisfy the appropriate axioms: 

hr, (C(c) AA)D Vt.(a(i) £ 0), 

(C(c) A A) D ViVj.(s(i) ~ D i ~ j), 
hr t (C(c) A A) d Vi.((i < 0) = (» ~ 0)), 

(C(c) Ai)D ViVj.(: < s(j) = (t ~ s(j) V » < j)), 
hTi (C(c) A A) D Vi.(i + 0 ~ t)> 
hr, (C(c) A A) D VtVi.(i + ~ s(t + j)), 
l-T! (C(c) A A) D Vi.(i x 0 ~ 0), 
hr, (C(c) A A) D x ~ i x j + i), 

hr t (C(c) A A) D [tx[0] A (V».u[t] D u[s(t)]) D (Vt.u[»])] if u is c-formed. 
Step 3: 

We define the translation function Q by Q(u) = Q*(u,0), where Q* is an auxiliary 
translation function such that: 
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Q*(p(t u ... ,t k ),m) = i 



if p is a rigid predicate symbol 

0(c[m]Ap(<i, ...,**)) 

if p is a flexible predicate symbol 
Q*(0,m) = G*(ti,s(m)) 

(?*(□«, m) = Vt > m.Q*(u,i) (i and j are new variables) 
Q*(0,m) - 3t>m.Q*(u,i) 

Q*(uUv,m) = Vi > m.[Q*(u,i) V 3j.(m < j <i A Q*(t>, j))] 

Q*(u7>v,m) - 3i > m.[Q*(u,i) A Vj.(m <j<iD -*Q*(vJ))] 

and Q* renames bound variables and preserves connectives and quantifiers. 



Step 4: 

The function Q provably preserves meaning. First we prove: 
Lemma 7.3. 

H\(C(c)AA) D(Q*(w,m) = 0(c[m] An)) for aJ J u andm. 
Proof: 

The lemma is proved by induction on the structure of u. It suffices to show that 
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D Q*{p{t x , . . . , t k ), m) = <>(c[m] A p{t x ,...,<*)), 

D Q*(-.u,m) = <>(c[m] A -.u), 

D Q*(ui A « 2 ,m) = <>( c [™] A (ui A u 2 )), 

D Q*{ Ul V ii 2 , m) = 0(c[m] A ( Ul V u 2 )), 

D <2*(Vx.u,m) = <>(c[m]AVi.u), 

D Q*(3x.u,m) = 0(c[m] A 3x.u), 

DQ*(0,™) = <>(c[m] AO), 

D Q*(n ix, m) == <0>(c[m] A □ u\ 

D<2*(0«,m) = 0(c[m]A<>u), 
D Q*(u Uv,m) = <>(cH A u U v), 

D Q*(u Vv,m) = <>(c[m] AuV v), 
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with the induction hypothesis that the lemma holds for all proper subformulas of the 
formulas under consideration. 

By the induction hypothesis, it suffices to show that 

\-T l (C(c)AA)Dp(t u ...,t k ) = C>(c[m}/\p(t 1 ,...,t k )) if pis rigid, 

Hri(C(c) A A) D 0(c[m}Ap(t u ...,t k )) = 0(c[m]Ap(<i,...,**)) if p is flexible, 

hr^Cic) A A) D -> 0(c[m] A u) = 0(c[m] A -u), 

hr^Cic) A A) D (<0(c[m] A m) A 0(c[m] A « 2 )) = <>(c[m] A («i A « 2 )), 
hr t (C(c) A A) D (0(cH A ui) V 0(4™] A u 2 )) = 0(4™} A («i V u 2 )), 

hr 1 (C(c) AA)D Vx'. <>(c[m] A u[x']) = 0( C H A Vs.u[x]) if a:' is a new variable 
(in particular, x' does not occur in c[m]), 

hri(C(c) AA)D 3x'. 0>(c[m] A u[x')) = <C>(c[m] A 3x.u[x]) if x' is a new variable 
(in particular, x' does not occur in c[m]), 

hr t (C(c) AA)D 0(c[5(m)] Au) = <>(c[m] A C>«), 

l-Ti (C(c) A i4) D Vi > m. 0(4*1 A «) = 0(4™] A □ u), 

It\ (C(c) A A) D 3i > m. <>(c[i] A «) = 0(4™] A O u), 

"Vt > m. [0(c[»] A u) V 3j.(m < j <i A 0(4i] A w))] 

_0(c[m]AuWu) 

"3i > m. [0(c[»] Au) A Vj.(m < j < i D -> 0(4>] A u))] 
_0( C H AtxPu) 



lT t (C(c)AA) D 



It^ (C(c) A i4) D 



The second formula is trivially provable. Duality considerations enable us to omit the 
cases for V, 3, <(^>, and V , Also, the case for □ is subsumed by the case for U and can be 
omitted. The remaining cases are treated in the appendix. | 

Theorem 7.4. 

hr 1 (C(c) A A) D (u = Q(u)) for all u. 
Proof: 

In the appendix we check that 



hr\(C(c) A A) D (u = O(c[0] A u)) for all u. 
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The lemma yields 

hr 1 (C(c)AA)D(u = Q*(u,0)) for all u. 
Now it suffices to point out that Q*(u,0) = Q(u). | 

Step 5: 

The formula u is provable if (C(c) A A) D u is provable (in the appropriate system). 
By step 4, it suffices to show that (C(c) A A) D Q(u) is provable. 

The formulas Q(u) and P(u) have identical syntactic structures, except that formulas 
of the form 0( c [ m ] Ap(<i, . . . occur in Q(u) where atoms of the form p(t u . . . ,£*,m) 
occur in P(u). This difference is insignificant enough that the proof for P(u) can be applied 
to (C(c) A A) D Q(u), with four minor modifications: 

• The assumption C(c) A A is carried along. 

• The equality symbol for numbers, =, is replaced with ~. 

• If p is an uninterpreted predicate symbol then the atom p{t\, . . . , tk,m) is replaced 
with 0(c[m] A <*))•• 

• The axioms about numbers are no longer treated as axioms, but they are proved 
from C(c) A A (as in step 2). Note that since all formulas in the proof of Q(u) 
are c-formed, the substitutivity and induction properties we obtain suffice. | 

This concludes the proof of the completeness theorem. As a corollary, we can show 
that To is strictly less powerful than T\ and T\ is strictly less powerful than T2. Of course, 
all systems are incomplete in the standard sense. 

Corollary 7.5. 

hr 0 C \-t x C hr 2 C K 
Proof: 

The inclusion of all the proof concepts in j= is a consequence of their soundness. Since 
they are all effective, they are incomplete; hence their inclusion in (= is proper. 

It is trivial that hr 0 Q \~t x Q hr 2 i si nce To is a subsystem of Ti and T\ is a subsystem 
of T2. Also, there are formulas u\ and 112 to separate hr Q from hr x and hr l from hr 2 , 
respectively: 

For ui, take 

[(Vz. O a = x) A (Vx. D(a = x D Q □ a ^ x)) 

A p(o) A (VxVy.(p(x) A <>(a - x A Q a = y)) D p(y))] 

D (Var.p(x)). 
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Note that ui is very similar to uo exhibited for the nonstandard incompleteness theorem 4.5 
(we introduce a slight difference to make u\ obviously arithmetical). In fact, the arguments 
in the proof of theorem 4.5. show that \/r 0 u\ and ho P{u\), with no modification. Also, 
the formula u\ is arithmetical in Ti, with clock (a = x). By the completeness theorem, it 
follows that f/r 0 u x and hr x «i- 

As for u 2 , Biro and Sain ([BS]) have produced a formula v of Lo such that \fo v and 
hp v. It is an immediate observation that v is the translation of a FTL formula, say «2- 
By our soundness and completeness theorems, it follows that \fr x u 2 and hr 2 ^2. I 

Remark: Consider the restrictions of T\ and T2 that do not operate on formulas with 
U and V. The completeness theorem and its corollary hold for these restricted systems. 
In fact, the proofs axe special cases of the general proofs. Note, in particular, that we have 
pointed out that all valid formulas are arithmetical in hr 2 even when the logic does not 
include U and V. | 



8. Related work 

The intractability of FTL has been widely accepted for some time. However, no in- 
tractability proof has been published to the best of our knowledge. 

In dynamic logic, the intractability theorems initially led to an interest in completeness 
results for arithmetical universes ([Hal]). We suspect these results do not carry over 
directly to temporal logic. On the other hand, literature on nonstandard logics of programs 
(e.g., [N], [BS], [Sal], [Sa2]) discusses notions of completeness similar to those we study. 

Previous works on nonstandard temporal logics differ from ours in three major re- 
spects. First, the logics under consideration often include the modal operator First, but 
not U and V, and the only flexible symbols are constant symbols. Second, the works 
focus on weak FTL proof systems, similar to To and T\. Third, the main soundness and 
completeness theorems given are for special classes of sentences, such as partial and total 
correctness assertions for deterministic sequential programs. For instance, these theorems 
do not directly apply to reasoning about concurrent systems. 

There have been results analogous to ours for other modal logics. In particular, 
Solovay ([So]) has provided an interpretation of the propositional logic of provability in 
Peano Arithmetic. Although our main positive result seems close in style and form to 
Solovay's, the constructions used in the proofs have little in common. Another fundamental 
difference is that the logic Solovay considers is axiomatizable, while temporal logic is highly 
intractable. 
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9. Open questions 

The system we axe most interested in is T<i , because it corresponds well both to Peano 
Arithmetic and to informal proof methods, and because it is the most powerful one of 
those we have considered. Still, there are some intriguing open questions on To and T\\ 

• We have shown that hr 0 is incomplete with respect to ho- Is there any simple 
characterization of To? 

• We would like to know whether T\ is actually complete for all formulas (and 
not just for arithmetical formulas). Consider augmenting T\ with a rule to use 
a clock, that is, to derive u from C{c) D u provided that the flexible predicate 
symbol c does not occur in u. As long as the domain of discourse is infinite, the 
rule is harmless. With this rule, all formulas become arithmetical, and hence 
becomes complete with respect to Ho- Thus, we would like to know whether a 
clock adds power to T\. 



10. Appendix 

In the following subsections 10.1 and 10.2 we prove two general propositions to show 
how to replace function symbols with predicate symbols and predicates with sorts. These 
are simple extensions of propositions well known in classical logic ([Kl], [Gal]). 

In subsection 10.3 we argue that certain formulas can be proved within T\. 



1. Eliminating function symbols 

Given a formula u and a set F of uninterpreted function symbols in a given language, 
we define the "unnesting" of w, u*, to be the formula obtained by repeatedly replacing 
occurrences of 

p(... ,<[/(*!,. ..,<„)],...) 

with 

3x.[/(i 1 ,...,* n ) = x A p(...,t[a;],...)] 

where / G F and x is a new variable, until all /'s in F occur only in atomic formulas of 
the form f(t\ , . . . , t n ) = x. For the sake of uniqueness, we may choose a standard order 
for this rewriting. 
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Now u* can be transformed into a formula u + with no function symbols in F: for each 
/ e F, we replace f(t u . . . ,i n ) = x with g/(<i,. ..,<„, 3). Let F u be the set of elements of 
F that occur in u. The formula 

A feF u [□ Vxi . . . Vs„3!y.9/(xi , . . . , x n , y)] 

expresses that all the predicate symbols introduced represent functions. (For rigid /'s, the 
□ may be omitted.) Thus, 

u ' : A/€F u P Va: i--- V:r n3!y.9/(xi,...,x n ,y)] Dw + 
is equivalent to the original u. 

When the language is sorted, u' is defined analogously and the new symbols introduced 
are taken in the appropriate sorts. 

Proposition 10.1. 

Let h be one of ho, Hp, hr 0 ? hr 1? and hr 2 . For every formula u, hu <^ hu'. 
Proof: 

To prove that \-u hu', we assume that u has a proof and construct a proof for u f . The 
construction proceeds by induction on the structure of a proof for u. More precisely, we 
check that if v is an axiom then v f is provable and that if a rule derives v from v\ , . . . , Vk 
then v 9 can be obtained from v[, . . . , v' k . The usual classical arguments are omitted. We 
present only the arguments for the temporal axioms and rules. 

• If v is an instance of a valid PTL schema, of u = O u (with u rigid), of (Vx . Q u ) = 
(O Vx.u), or of [Vx.(u U v)] = [(Vx.u) W v], then u" 1 " is an instance of the same 
schema, and, therefore, is an axiom. The axiom v+ immediately yields v l '. 

• Suppose v is □ w and is deduced from w. Clearly, □ w 1 can be deduced from 
w 1 By prepositional temporal reasoning, h (□ w') = (□ w)', so (dw)' can be 
deduced from w'. 

• Suppose u is deduced from d D v, for a definition c?. Since c? + is also a definition, v 9 
can be deduced from d + D v 9 . By propositional reasoning, h(d3 v)' = (d + D v f ). 
Therefore, v f can be deduced from (d D v) 1 . 

To prove the other direction, hu' f- u, we assume that h and show that h u. Let 
v be u' with . ..,*„) = i n +i substituted for qf(t u . . . ,t n +i)> for all f e F. Clearly, 

the same proof succeeds for v and u', since they have the same structure; thus, ht>. In all 
systems under consideration functions are provably functional. In particular, 

I- A/£F U [□ Vari . . . Vx„3!y./(xi, . . . ,x n ) = y]. 

Since v = f\ feF ^ [□ Vx x . . . Vx n 3!y./(xi , . . . , x n ) = y] D u*, it follows that h u*. 
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Now, it suffices to show that huEu*. It suffices to point out that each step of the 
"unnesting" is provably correct, that is, 

M- ■ - , t[f(U , • - - , *»)], . . .) = 3x.[/(*a ,...,<„) = s A p(. .. , <[*], ...)]. | 

This proposition guarantees that some proofs need to consider only formulas of re- 
stricted forms, where some or all function symbols are forbidden: 
Corollary 10.2. 

Assume that T 0 is complete for models of T 0 for all sets of formulas with no flexible 
function symbols, that is, if no function symbol occurs in the formulas in E and if E 
is To-consistent then E holds in some model of T 0 . Then T 0 is complete for models of 
T 0 . 

Proof: 

Consider a T 0 -consistent set of formulas E where flexible function symbols may occur. We 
eliminate all flexible function symbols as in the proposition. More precisely, we define: 

F — {f\f i 3 a flexible function symbol occurring in E}, 

E' = {u+\u e E} U {□ Vxi . . . Vz n 3\y.q f (x u . ..,*„, y)\f G F}. 

By the proposition, E' is T 0 -consistent. The assumption yields that E' has models. In 
one of these models, the predicate symbols that replace the flexible function symbols are 
interpreted as functions. Hence, a model for S can be read off immediately. | 

Corollary 10.3. 

Assume that every valid formula with no function symbols is arithmetical in hr 27 that 
is, if no function symbol occurs in u and f= u then u is arithmetical in hr 2 . Then 
every valid formula is arithmetical in hr 2 . 

Proof: 

Given a valid formula u, u f is also valid. Therefore, u 1 is arithmetical in hr 2 . Let c 0 
be a clock for u'. If hr 2 C(c 0 ) D u' then hr 2 u'. We obtain a formula c\ from c 0 by 
replacing all occurrences of . . ,< n +i) with /(*!,...,<„) = * n +i* The formula c\ 

is our candidate clock for u. Assume that hr 2 C(ci) D u to show that \~r 2 u. By the 
proposition, hr 2 [C(ci) D u] f . Also, hr 2 [C(ci) D u]' = [C(c 0 ) D u f ] by propositional 
reasoning. Therefore, hr 2 C(co) D u\ and hence, since Co is a clock for hr 2 u'. By the 
proposition, br 2 u follows. | 

Corollary 10.4. 

Assume that ho-P(w) => hr t u and hpP(w) => \~r 2 u for every arithmetical formula 

u with no function symbols. Then \~oP(u) hr^ and hpP(u) hr 2 v> for every 
arithmetical formula u. 
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Proof: 

Assume that ho^(w) hr x u for all arithmetical u with no function symbols and that for 
some arithmetical v, hoP{y). We show that hr^. Since \~oP(v), the proposition yields 
\-o(P(v))'. Note that M*»)' = ^V), and hence \- 0 P(v'). 

Moreover, if v is arithmetical then so is v f (in fact, if c is a clock for v then c + is a 
clock for t/). Since v' contains no function symbols and is arithmetical, \-t x v' follows from 
our assumption. By the proposition, hr x v. 

A similar argument handles Hp and hr 2 - I 



2. From predicates to sorts 

We show that treating a rigid predicate as a sort does not improve provability. This 
very minor proposition on sorts can be extended in a number of ways, but the current 
form suffices for our purposes. 

Suppose that Vi.u[z] and 3i.u[i] are used as abbreviations for Vx.(p(x) D u[x\) and 
3x.(p(x)Au[x]), respectively, and that the usual rules for quantifiers are applied to formulas 
with these special sorted variables. Thus, any provability concept h is extended to a new 
provability concept h a for formulas with this kind of sort abbreviations. As long as p 
provably corresponds to a non-empty relation, h a is no more powerful than the original K 

Proposition 1CL5. 

Let p be a rigid predicate symbol and h be one of hr x and hr 2 . Suppose that 
u[ii, . . . , i n ] has a proof within \- 3 , that is, H 3 . . . , i„]. In this proof, ii, . . . , i n 
are the only variables in the sort defined by p that may occur free. Let u r be the 
formula 

[(3x.p(x)) A p(xi ) A ... A p(x n )] D u[x u . . . , x n ]. 

Then hu', 
Proof: 

We show how to construct a proof of h u f by induction on the structure of a proof of h 5 u. 
More precisely, we check that if v is an axiom in h s then I- and that if a rule derives 
v from v i , . . . , Vk within h 5 then v' can be obtained from v[ , . . . , v f k within K Again, we 
spell out only the arguments for the temporal axioms and rules; the remaining arguments 
are similar and totally classical. 

• If v[ii, . . . , i n ] is an instance of a valid PTL schema, of u = O u (with u rigid), of 
(\/x.Qu) = (QVx.u), or of [rfx.(uU v)] = [(Vx.m)Wu], then v[x u . . . ,x n ] is an 
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instance of the same schema, and, therefore, is an axiom. The provability of v 1 
follows immediately. 

• Suppose v is □ it? and is deduced from w. Clearly, nit/ can be deduced from 
w f . By propositional temporal reasoning, h = (Ow)', so (□u;)' can be 
deduced from u/. 

• Suppose . . ,i„] is deduced from d[i u . . . ,i n ] D . . . ,i n ], for a defini- 
tion <£[i l9 . . . , i n ]. Since . . . , x„] is also a definition, v 1 can be deduced from 
d[x\, . . . , iT n ] 3 i;'. By propositional reasoning, the formulas (d[x\ , . . . , x n ] D v f ) 
and . . . , i n ] D v) f are equivalent. Therefore, follows from (d D t;)'. | 

3. Some useful theorems 

In steps 2 and 4 of the completeness theorem (section 7) we claim that certain formulas 
are provable in T\ . We justify the claim in this subsection. Most of the arguments are rou- 
tine. Since T\ is complete with respect to models of T\ , we are able to give some (slightly) 
semantic proofs. The corresponding syntactic proofs are long but easy to reconstruct. 

The formulas C(c) and A are defined as in section 7. Throughout, we consider a model 
M of Ti where C(c) and A hold. 

• K (C(c) AA)D 3x.n(x) 

The model M satisfies (3x.c[x]), since it satisfies C(c). Hence, it satisfies (3x. <^> c[£]). 
Since n(x) is defined as 0 c[x], M also satisfies (3x.n(x)). 

• \- Tl (C(c)AA)Dn(c[i]Du) = 0(c[i}Au) (*) 

(This "duality proposition" is a useful tool in proving the remaining theorems.) 

Assume that 0( C H Ait) holds in M. Suppose that □(c[i] D u) does not hold, that is, 
that <C>( C W A-nt) holds. By propositional temporal reasoning we obtain <CK C [^] AO O c [ 2 ])> 
in contradiction with C(c). Therefore, □(c[i] D u) must hold. 

Assume that D(c[z] D u) holds. By the definition of n, O C W holds; propositional 
temporal reasoning yields 0( C W A u). 

• hr, (C(c) A A) DD((Oc[i])D«) = 0((Oc[*]) A «) (**) 

The proof is similar to the previous one. 

• hr\ (C(c) A A) d 3\i.0 p (i) 
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The model M satisfies 3z.c[i], since it satisfies C(c). It follows that 3i.0 p (i) holds, by 
the definition of 0 p . Furthermore, if both 0 p (i) and 0 p (j) hold, then c[i] and c[j] hold, so 
<3>(c[i] A c[j]) holds as well. It follows that i ~ j, by the definition of ~. 

• \- Tl (C(c)AA)DVi3' i j.s p (iJ) 

Consider an arbitrary i. By the definition of n, c[i] must hold at some world W\ such 
that W0R2W1. Then there is some j with property c at some world W2 such that w\R\W2- 
since C(c) must hold at w\, Q 3y.c[y] must hold at w\. By the definition of s p , this means 
that i has a successor. To see that this successor is unique (as far as ~ can distinguish), 
assume that both j and j* are successors to i. Then both O c [j] O c b'] hold at w\; 
hence c[j] A c[j'] holds at w 2 . It follows that <0> 0( c [i] A c [j'D hence 0>(c[j] A c\j']) 
hold at wo* The definition of ~ yields that j ~ j*. 

• hr, (C(c) Ai)D VtVjaj*. + p (», j, fc) 

We first show that pi defines a flexible function from numbers to numbers at all worlds 
w\ such that wqR 2 w\. By the induction principle, it suffices to show that pi is a function 
at wo and that if it is a function at some w\ such that woR 2 wi then it is a function at 
some w 2 such that W\R\W2- At tuo, Pi{hj) holds if and only if 0 p (i) holds; since 0 P defines 
a constant, pi defines a function. Now assume that pi is a function at w\ and consider 
W2- At w 2 , Pi(i, j) holds if and only if for some j we have s p (j y k) and pi(i, k) holds at w\ . 
Since pi is a function at w\ and s p is a function, p\ is a function at W2. 

To show that + p is a function, consider arbitrary i and By the definition of n, there 
must be some W\ that satisfies c[j] such that woR 2 wi- For some ^-unique A;, w\ satisfies 
pi(i, A:), and hence j, fc). To finish, we need to check that if c[j] holds at both w\ and 
w[ , then the same A; gives us pi(i, A:) at t^j and w[. Suppose that pi(i, A:) holds at W\] then 
0( c b] Api(i,fc)) holds at w 0 . By (*), we obtain n(c[;] D Therefore, pi(i,fc) 

holds at lyj. If pi(z, A;') holds at w[ for some other k\ we have k ~ k f because pi defines a 
function. 

• hr, (C(c) A A) D VNj3\k. x p (ij,k) 

The argument is exactly analogous to the one for + p (using + p instead of s p ). 

• hr\ (C(c) A A) D Vt.(i ~ t) 

Consider an arbitrary i. By the definition of n, <0>( C W A c[i]), that is, i ~ z, holds. 

• Hzi (C(c) A A) D ViVj.(i ~ j D j ~ i) 

Consider arbitrary z and j such that i ~ j, that is, 0( C W A By commutativity, 
0( c [i] A c[z]), that is, j ~ i, holds. 
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• hr, (C(c) A A) D VzVjVfc.((z ~ j f\j ~ k) D i ~ k) 

Consider arbitrary z, j, and k such that i ~ j and j ~ fc, that is, <0>( C M A c \j]) a* 1 ** 
0( c [i] ^ C [&D- By (*), □(c[j] D follows. By propositional temporal reasoning, we 
obtain <C>( C W A c[j] A c[A;]), and then derive <0( C W A c[k]), that is, i ~ A;. 

• (C(c) A A) D V»Vj.(t ~ j D 0(c[*] Ao) = <0>( c [i] A a )) if a is atomic 

Consider arbitrary i and j such that i ~ j, that is, 0( C M A C L?])> and assume that 
<3>(c[z] A a). By (*), □(c[z] D c[;]) follows. By propositional temporal reasoning we obtain 
0( c [i] A a). The other direction of the equivalence is similar. 

• hr, (C(c) A A) D ViVj.(i - j'D a[i] = a[j]) 

if a is atomic with relation symbol n, 0 P , s p , <, ~, + p , or x p . 

We prove a more general proposition instead: 

• hr x (C(c) A A) D ViVj.(i - j D n(a[t] = a[j})) 

if a is atomic with relation symbol n, 0 P , <, ~, pi, + p , p2, or x p . 

We first prove the property for a atomic with relation symbol n, 0 P , s py <, or ^. 
Consider arbitrary i and j such that i ~ j, that is, 0( C W A c[j]). By (*), D(c[i] = c[j]) 
follows. Let d[i] and d[j] be the formulas obtained from a[i] and a[j] when the symbols n, 
Op, s p , <, and ~ are replaced with their definitions. Note that a[i] and a[j] are provably 
equivalent to d[i] and <i[/], respectively. Since i and j occur in d[i] and only as 
arguments to c, C](c[i] = c[j]) yields = d[j]). It follows that a[i] = a[j], and then, 

since all symbols involved are rigid, □(a[z] = 

For p\ , the proof is inductive. It suffices to show that substitutivity holds at wq and 
that if it holds at some w\ such that W0R2W1 then it holds at some 102 such that w\R\W2. 
At Wo, substitutivity holds because pi is defined in terms of ~, for which we have already 
proved substitutivity. Now assume that substitutivity holds at w\ to prove that it holds 
at some successor world W2* The meaning of pi at W2 is defined in terms of s p and pi at 
wi] we have proved substitutivity for s v and assumed it for p\ at w\. Therefore, we have 
substitutivity for pi at W2- 

Now substitutivity for + p follows because + p is defined in terms of c and p\. A similar 
argument enables us to prove substitutivity for P2 from substitutivity for 0 p and + p , and 
substitutivity for x p from substitutivity for P2. 

• \-t x (C(c) A A) D Vi.(s(i) ^ 0) 

Consider an arbitrary i and a successor of i, j. By the definition of n, we obtain 
0> O c [i]- We have that O O ~' c [0] (from C(c) and the definition of 0 P ). Propositional 
temporal reasoning yields 0( c b1 A ~ , c[0]); (*) yields D(c[j] D _, c[0]), that is, j 9^ 0. 
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• hr, (C(c) A A) D ViVj.(s(i) ~ s(j) D i ~ j) 

Consider arbitrary i and j and their respective successors k and k\ and assume that 
k ~ k 1 . We obtain 0( C H AO C [^D 0( C L?] AO C [^D ky substitutivity and the definition 
of s p . Propositional temporal reasoning yields 

<>(c[i] A c[j}) V O 0(c[*] A O O c[k]). 

The second disjunct does not hold since C(c) holds. Hence, 0( c [&] A c[j])> that is, i ~ 
holds. 

• hn (C(c) A A) D Vt.((i < 0) = (z ~ 0)) 

Consider an arbitrary i and assume that i < 0, that is, 0( c [ z l A O c [0])- Propositional 
temporal reasoning yields c[i] VQO c [0]* Since we have O D ""cfO], we can eliminate the 
first disjunct and derive c[i]. The definition of 0 P implies c[0], and we obtain <0>( C W Ac[0]), 
that is, i ~ 0. 

Now assume that i ~ 0, that is, <3>(c[z] Ac[0]). Propositional temporal reasoning yields 
0(4*1 A O c[0]), that is, i < 0. 

• hr x (C(c) A A) D ViVj.(t < = (i ~ V i < j)) 

Consider arbitrary i and j such that i < <s(j), that is, for some k such that 0( c [i] A 
O c [^]), 0( C M A O C [&D- Propositional temporal reasoning yields 

<>(c[i] A c[fc]) V 0(c[»] A O O #])• 

If the first disjunct holds, we have i ~ k, that is, i ~ If the second disjunct holds, 

we have 0((O c [^]) ^ c [j\) O^Y (**))? an d hence propositional temporal reasoning yields 
0(c[t]AOc[)1), that is, i < j. 

Now assume that i ~ that is, <0>( c [*] Ac[s(j)]). Propositional temporal reasoning 
yields 0( C W A <C> c [ 5 (j)])> that is, i < Finally, assume that i < j, that is, 0( C W A 

O c [i])- Consider a successor k of j. By the definition of s p , we have <C > ( c [i] AO C M), an d, 
by (*), D(c[i] D O c [^]). Propositional temporal reasoning yields 0( c WaO O c [^D? 
then <0>( C W A <0>c[fc]), that is, i < k. 

• hr, (C(c) A A) D Vi.(t + 0-0 

Consider an arbitrary Suppose A: ~ i + 0, that is, O( c [0] Api(i,fc)). By (*), 
□ (c[0] D pi(z, A:)) follows, and then p\(i, fc), by the definition of 0 p . The definition of p\ 
immediately yields i ~ k. 

• hr, (C(c) A A) d Vi'Vi.(i + s(j) ~ s(i + j)) 
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Consider arbitrary i and j. Suppose k ~ i + j, that is, 0(c\j} A pi(i,fc)). The 
definitions of s p and pi imply 

0((OcK/)D a (Opi (*>(*))))• 

By propositional temporal reasoning we obtain 

O(c[*0')]Api(M(*))), 

that is, i + s(j) ~ s(Ar). 

• hr, (C(c) AA)D Vi.(i x0-0) 

The argument is exactly analogous to the one for i + 0 ~ i. 

• hri (C(c) A A) d ViVj.(i x ~ z x j + i) 

Consider arbitrary i and j. Suppose k ~ i x j, that is, <C>( c [i] A P2(*,fc))- The 
definitions of s p and p2 imply 

O((OcKi)])A(OP2(<,fc + 0)). 

By propositional temporal reasoning we obtain 

O(o[s(j)] Ap2(t,* + t)), 
that is, ix3(j)~fc + i. 

• (C(c) A A) D [u[0] A (Vz.u[t] D D (Vt.u[i])] if u is c-formed 

Given a c-formed formula assume u[0] and (Vi.it [i] D u[s(i)]). Define the rigid 
predicate symbol p to be u at the initial world, that is, Va?.(p(x) = u[x]), and expand M 
with a relation for the defined rigid symbol p. Now we prove that □ Vi.(c[i] D p(«))- By 
the induction principle, it suffices to show that Vi.(c[z] D p(t)) holds at wo and that if it 
holds at some W\ such that W0R2W1 then it holds at some u>2 such that iyii2iu;2. 

Since «[0] holds at iw 0 , u[z] holds at w 0 for any z such that i ~ 0 (by substitutivity). 
If c[z] holds at w 0 , then i ~ 0 (by the definition of ~) and hence u[i] holds at wo- The 
definition of p immediately yields p(z). 

Now assume that Vz.(c[z] D p(0) holds at w\ to show that it holds at some successor 
world 102- Consider an arbitrary i such that c[i] holds at and hence p(i) holds at w\. 
Since p is rigid, p(i) holds at w 0 as well. The definition of p guarantees that u[i] holds at 
iuo, and hence that u[ 3 (0] holds at wq. Consider an arbitrary j such that c[j] holds at 1^2, 
and hence j ~ s(i) holds at w$. Substitutivity yields u[j\. From the definition of p we 
obtain that p(j) holds at wo, and hence at W2 as well. 



10. Appendix 



51 



The definition of n implies that Vz. O c[i]. We obtain Vi. <0>p(0- Since p is a rigid 
symbol, this entails Vi.p(i), that is, Vi.u[i]. 

• It\ (C(c) AA)d p(U , . . . , t k ) = 0(c[m] A p(t ! , . . . , * k )) if p is rigid 

Assume that p(t u . holds. Since p is rigid, dp(ii, . ..,**) holds as well. For 

any m, <0> c [ m ] holds (by the definition of n). Propositional temporal reasoning yields 

O(c[m]Ap(*i,...,*0)- 

Assume that <C>( c [ m ] Ap(<i, . . . ,t*)) holds. Then p(*i, . ..,<*) holds at some world u>i 
such that u; 0 i? 2 u>i. Since p is rigid, p(^ ,...,**) must also hold at io 0 . 

• hr^c) AA)Dn 0(c[m] A u) = <0>(c[m] A -.«) 

Propositional temporal reasoning yields this syntactic variant of (*). 

• hr 1 (C(c) A A) D «>(c[m] A m) A <>(c[m] A u 2 )) - 0(^H A (m A u 2 )) 

Assume that both <>( c [ m 3 A w x ) and <>( c [ m ] A u 2 ) hold. Then □(c[m] D u\) holds 
(by (*)); <3>(c[m] A (ui A u 2 )) follows by propositional temporal reasoning. 

Assume that 0(c[m] A (u x A u 2 )) holds. Then both <>( c [ m ] A ui) and 0( C M A u 2 ) 
follow trivially, and so does their conjunction. 

• )ttx(C(c) AA)D Vx'. 0(c[m] A u[x']) = <>(c[m] A Vx.u[x]) 

(x' does not occur in c[m]) 

Assume that Vx'. 0(4™] A u[x']) holds. By (*), Vx'.D(c[m] D u[x']) holds. This 
formula is equivalent to □ Vx ; .(c[m] D u[x']). Since the variable x' does not occur in c[m], 
we can derive □(c[m] D Vx.u[x]). By (*), <0( c [™] A Vx.u[x]) holds. 

Assume that 0(c[m] A Vx.ujx]) holds. By (*), □(c[m] D Vx.tt[x]) holds. For a new 
variable x', we obtain □ Vx'.(c[m] D u[x']). This formula is equivalent to Vx'. □(c[m] D 
u[x']). By (*), Vx'. 0(c[m] A u[x f ]) holds. 

• ^(CfcjAA) D 0(c[s(m)]Au) = <>(c[m] A Q«) 

Assume that <>(c[s(m)] Aw) holds. By (*), □(c[5(m)] D u) holds. Together with the 
definition of s p , this yields <>(c[rn] A 0( c [ s ( m )l A u)), and hence also <0>( c [ m l A O w )* 

Assume that 0(c[m} A Qu) holds. Together with the definition of s py this yields 
0((0 c [ 5 ( m )])A(0 u ))- The conclusion Q>(c[s(m)]Au) follows by propositional temporal 
reasoning. 



^(C(c)AA) D 



Vi > m. [0(c[i] A u) V 3j.(m < j < i A 0(4i] A w))] 
_0(c[m] AnU v) 
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Assume that 

Vi > m. [<>(c\i] Au)V 3j.(m < j < i A <>(c[j] A w))] 

holds. Suppose that -< 0>(c[m] AuUv) holds, to derive a contradiction. By (*), we obtain 
0(c[m] A -.(u U »)), and then 0(c[m] A ((-u) P v)). Since C(c) holds, for some k we have 

0[c[m]A((c[fc]A^)7>t;)]. (f) 

It follows that 0( c [^] A -«u) and k >m. Hence, our assumption yields 

0(c[k] Aw)V 3j.(m <j<kA 0(c[j] A t;)). 

Since we have <0>( c [^] A -ne), (*) enables us to eliminate the first disjunct. Thus, for some 
j such that m<j<k, C>( C L?] A v) holds, and then (f) yields 

0[c[m] A ((c[k] A -mi) V v) A 0(c[j] A v)]. 

By propositional temporal reasoning, we obtain 

i(c[j] AvA 0(c[k] A -.„)) V v) V 0(c[*] A O O 

The first disjunct leads to vVv, an unsatisfiable formula. The second disjunct is ruled out 
by j < k together with C(c). In both cases we have contradictions. 

Now assume that 0( c [ m ] AuUv) holds. Suppose that 

^Vi > m. [0(c[«] A u) V 3j.(m <j<iA 0(c[j] A v))] 

holds, to derive a contradiction. Then for some i > m we have D(c[i] D -•«), and hence 
0( c [ 2 ] A -<u) (by (*)), and for all j between m and i we have □(c[jr] D -iv). We derive 

0[c[m] AuUv A <>(c\i]) A («> c[*]) W c[i])] 
from i > m and C(c), and then 

<>[c[m] A uU v A 0(c[i]) A ((3;.c[j] A Q □ -c[m] A O c[t]) W c[i])] 

from C(c). The definition of < enables us to conclude 

OluUvA 0(c[i])A((3j.m<j < i A c[j])U c[i])]. 

Since D(c[i] D -<u) and m < j < i D \D(c[j] D -*v) (and D(c[i] D in particular), 
propositional temporal reasoning yields 

0(w W i> A 0(^u) A ((3j.-iv) W (-u A -iv))]. 

This is equivalent to 

C>[uUv A O(^u) A (^W(^ A -nu))], 
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an unsatisfiable formula. 

• Kr^CCc) A A) D (u = O(c[0] A u)) for all u 

Assume that u holds. Since c[0] holds, c[0] A u holds, and so does 0( c [°] A u )- 

Assume that O(c[0] A u) holds. By (*), D(c[0] 3 «) holds as well. Since c[0] holds, 
u follows. 
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